Embed Size (px)
Citation preview
Enterprise Risk Management
Lecture 9
Why the Interest in ERM?
• Performance bar is raised for Financial Executives
• Your company can optimize overall returns and
minimize risks
• Leverage existing control processes to meet
emerging risk governance demands
• Rating agencies are incorporating ERM evaluation to
overall corporate rating
• US Sentencing Guidelines offer consideration for
effective risk management
Evolution of ERM COSO Internal Control Framework
• Operations
• Compliance
• Financial Reporting
Evolution of ERM COSO Enterprise Risk Management
• Strategy
• Operations
• Reporting
• Compliance
Defining ERM Portfolio View
Standard Deviation
Ave
rag
e A
nn
ual
Rat
e o
f R
etu
rnPossible Combinations
of Risk and ReturnUnattainable Combinations
Modified from www.monkeychimp.com
Defining ERM Key Concepts
• Common Language
• Common Measurement
• Gross / Inherent Risk
• Response/Control/Mitigation
• Net / Residual Risk
Silo Risk
Silo Risk
Silo Risk
Gross Risks
Responseand Control
NetRisks
Implementing ERM Getting Started
• Get Buy in from the Top• Consolidate Risk Lists• Document Existing Risk Management
Silos• Identify Gaps in Coverage
Decide Next Steps• Fill Gaps to Demonstrate Value• Establish Repeatable Process
Ad Hoc / Heroics
Initial Tasking
• Internal Audit• Compliance• Strategic Planning• Operational Planning• Board Reporting
Implementing ERM Leverage Existing Processes
Common Risk ListAssess Gross Magnitude and Likelihood
Prioritization of RisksSelf Assessment of Response and Control Capabilities
Consensus View on Net RiskDisclosure of Risk Exposures
Risk and Control Focus
Stra
teg
y
Po
licy
Op
era
tion
s
Co
mp
lian
ce F
inl R
prin
g
Enterprise Risk Management
Internal Audit
Sarbanes Oxley PMO
Implementing ERM Establishing a Process
• Get Management Talking About Enterprise Risk• Develop Common Language• Develop a Common Measurement Basis• Establish an Enterprise Risk Management
Framework• Dedicate Staff• Develop Expertise Repeatable
Manageable
Implementing ERM Key Questions
• Quality: Are we talking the right kinds of risk?
• Quantity: Are we talking the proper amount of risk to meet our objectives?
• Resources: Are we allocating resources (financial, human, etc) efficiently to manage risks?
• Advantage: Do we have a competitive advantage in a particular type of risk?
• Challenges:– Cultural
– OperationalOptimizing…?
Sample ERM Implementation Lifecycle
Sample potential ERM Implementation Project Lifecycle• Comprehensive Risk Identification
– Review existing risk lists
– Interview senior management
– Consolidate findings and report
• Collect and Index Extant Risk Related Process Documents– Find policies and procedures related to significant risks
– Assess gaps in coverage i.e. risk identified but no related processes
• Assess gross risk– Interview business unit managers to determin risk events, potential im
pact and likelihood of occurrence
– Review existing risk modeling at the business unit level
– Assess risk materiality and prioritize risks
– Document findings and report
• Assess capabilities to control and respond to risk
– Determine organizational structure and identify risk management capabilities
– Assist business unit managers in self assessing their capabilities to control and respond to risk using objective benchmarking criteria to determine relative strength
– Determine the risk and capability alignment (one to one, many to one, one to many) and assess interdependencies
– Document findings and report
• Assess residual risks
– Determine residual risk exposure based on higher risk materiality and lower related capabilities
– Document findings and report
• Develop Gap Closing Plan
– For higher risk materiality and lower related capabilities develop action plans to either modify risk materiality or strengthen capabilities
• Execute Gap Closing Initiatives
– Additional projects need to be scoped
Sample ERM Implementation Lifecycle ( Cont’d)
Value Proposition Demonstrate Good Governance
• Transparency to Stakeholders– Reveal natural hedges
– Understand how a single event or multiple events may
impact the company as a whole
– Broader understanding of the aggregate exposure to risk
– No surprise
• Clarify Roles and Responsibilities– Assign risks with no clear owner (reputation risk)
– Enhance collaboration in response to events
Risk Environment
Risk to the Enterprise
Credit Risk Market Risk Business Risk Operational Risk
Customer FinancingPrepaid ServicesLoansBonds
Interest Rate RiskForeign ExchangeHedging Programs
Product PricingReservesConsumer BehaviorCatastrophesReputation
PeopleProcessesTechnologyOutsourcingFraud
Response and Control Capabilities• Compliance
• Ethics
• Internal Audit
• Sarbanes Oxley
• Human Resources
• Technology
• Product Development
• Communications
• Insurance Programs
• Capital Management
Risk management capabilities
exist through out the enterprise:
Front office / sales
Middle office / support
Back office / processing
ERM Heat Map
Risk Materiality
Higher
Lower
Response and Control Capabilities
Stronger Weaker
Decisions Under Risk and Uncertainty
Decision Type
Actions
(examples)
Outcomes
(examples)
Consequences
(examples)
Strategy
Determine what business the firm is in (consumer goods, financial services, etc.)
Type of good produced or service rendered
Competitors, porduct liability exposure, regulatory climate
Execution
Choose which market segments to pursue (luxury goods, private banking relationships)
Pricing and quality of goods sold or services rendered, nature of distribution channels
Brand quality, barriers to entry
Operations
Invest in infrastructure, such as new equipment
Skills and technology applications needed to produce goods or render services
Dependencies on skills and technology, efficiency
OrganizationDefine how people work and communicate
Profit and cash flow performance
Responsiveness to change, capacity for growth
Risk Governance
• Decision making and controls related to risk taking
• Interagency Statement on Complex Structured Financial Transactions
• Rating agency consideration of ERM• Organizational Sentencing Guidelines• Internal Audits role in ERM
• Shape the control environment to maximize value, remember that wanting greater returns usually implies taking more risk
Identifying Elevated Risk CSFT’s
• Lack economic substance or business purpose• Questionable accounting, regulatory, or tax objectives• Create misleading disclosures• Involve circular transfers of risks• Involve undocumented agreements that impact
regulatory treatment• Economic terms inconsistent with market norms• Provide disproportionate compensation
Characteristics of Elevated Risk Complex Structured Financial Transactions:
Organizational Sentencing Guidelines Overview
• Established by the US Sentencing Commission• Most recent revisions effective November 1, 2004• Applies to many forms of organizations
– Companies– Not for profits– Unions– Governments– Others
• Focus on the effectiveness of compliance and ethics program
Effectiveness Criteria Responsibility and Authority
• Governing authority– Is knowledgeable of the compliance and ethics program
– Exercises oversight of implementation and effectiveness
• Specific high level individuals shall have responsibility for the compliance and ethics program
• Specific individuals shall be delegated operational responsibility for the compliance and ethics program– Report to governing authority / high level individuals
– Adequate resources
– Appropriate authority
Effectiveness Criteria Procedures
• Communication and training
• Monitoring and auditing
• Periodic evaluation of effectiveness
• Anonymous reporting processes
• Enforcement and consequences
• Risk assessment
ERM, Ethics and Compliance
• Adopting ERM is one way to demonstrate a
commitment to good governance
• Enterprise wide risk assessments can help put the
need for compliance and ethics program in context
• Compliance risk assessments can leverage the
enterprise risk assessment and management process
• A coordinated testing strategy can save time and
effort and reduce information overload
Standard & Poor’s Approach
Enterprise “risk management will become a separate
major category of our analysis”
“The companies that are seen to be the best
performers in this category will be those that have
robust risk management processes that are carried
out across the entire enterprise and that form a
basis for informing and directing the firm’s
fundamental decision making”
Excellent• Extremely strong capabilities to
consistently identity, measure, and manage risk exposures and losses within the companies predetermined tolerance guidance
• Consistent evidence of the practice of optimizing risk adjusted returns
• Risk and risk management are always important considerations in corporate decision making
Standard & Poor’s Classification
Weak• Limited capabilities to cosistently ident
ify, measure, and manage risk exposures across the company and thereny limit losses.
• Execution of risk management is sporadic
• Losses cannot be expected to be limited n accordance with perdetermined tolerance guidelines
• Business managers have yet to adopt a risk management framework
• Risk management satisifies regulatory minimums but is not regularly applied to business decisions
Standard & Poor’s Cultural Indicators
Most Favorable:• Corporate risk management
responsibility rest with a senior influential officer
• With regular reporting and access to the board
• Risk tolerance is clearly articulated and consistent with firm goals and expectations
• Risk management polices and procedures are clearly stated and widely known
• Management view its risk management capabilities as a competitive advantage
Least Favorable:• Corporate risk management
responsibility rest with a middle manager or is nonexistent
• Access to the board is ad doc or limited
• Risk tolerance is unclear and may vary from situation to situation
• Risk management policies and procedures are not fully documented
• Management views risk management as a frustrating constraint imposed by external policies
Standard & Poor’s Control Indicators
Most Favorable:• Demonstrate process to identify
significant risk experience• All significant risk monitored on a
regular basis with timely and accurate measures of risk
• Clearly documented limits and standards for risk taking and management that are widely understood
• Risk limits are enforced with clear predetermined consequence for exceeding limits
• Defined loss event post mortem review to determine if process improvements are necessary
Least Favorable:• Not all significant risk exposures have
been identified
• Risk monitoring is informal, irregular or nonexistent
• Risk limits not documented or are too broad to have an impact on operational decision making
• Review of compliance with limits is irregular and there are often no consequence for exceeding limits
• Minimal or limited review of loss events
ERM Value
Better Decision Making• Facilitates risk management gap analysis
• Helps optimize gap closing spend and activities
• Common language and measurement of risk allows for more
efficient risk monitoring and communication (eliminate
duplication of effort)
– Also provides a context to align risk and control responsibilities
• Provides a meaningful context for external stakeholders
– Shareholders aware of risk to strategy and management's process
to respond and control unwanted risk levels
– Rating agencies understand how risk is factored into decision
making to optimize risk and reward
– Demonstrate good “tone at the top” corporate governance
