ENTERPRISE RISK MANAGEMENT

LESSONS LEARNED FROM ERM IN A PUBLIC

SECTOR ORGANIZATION

March 14, 2013

Webinar on ERM

• What it is!

• What it is not!

2

Do You Know…..

• The underlying premises of ERM

• History of ERM

• COSO has developed an ERM framework

• Everyone is doing risk management already

3

Introduction

• ERM

• ISO standard on risk

management

• Risk management

4

1. Business at warp-speed

2. Obsolete business models

3. New business practices

4. Converging financial services providers

5. Increasingly demanding investors and regulators

6. Increasingly accountable and demanding directors

7. Increasingly effective processes for risk identification

8. Increasingly effective measurement tools

9. Increasingly effective information tools

10. Increasingly effective scenario analysis and planning

ERM and Risk Drivers

5

Why ERM is Essential

6

Lessons Learned From ERM ERM – the new perspective

• Fragmented

• Negative

• Reactive

• Ad hoc

• Cost-based

• Narrowly-focused

• Functionally-driven

• Integrated

• Positive

• Proactive

• Continuous

• Value-based

• Broadly-focused

• Process-driven

7

From To

What Companies Need to Address

• Unintentional Risks

• Intentional Risks

8

Polling Question # 1

9

Why do business leaders love the Chief Risk Officer?

(Select all that apply)

a) The CRO promotes Risk Management and Policy

b) The CRO determines what level of risk is acceptable to the

organization

c) The CRO controls the budgets on all issues so they don’t

have to

d) None of the above

ERM – What Does It Mean?

10

1. Establish goals, objectives and oversight

2. Assess business risk

3. Develop risk management strategies

4. Design and implement risk management capabilities

5. Monitor performance

6. Continuously improve risk management capabilities

7. Support the process with information for decision making

Evolution of Risk Management

To a Strategic Process

Stepping Stones Towards ERM

12

Linkage to Increasing risk management capabilities

opportunity and

competitive

advantage

Adopt

Common

Language

Establish

Goals,

Objectives

and

Oversight

Assess

Risk and

Develop

Strategies

Design/

Implement

Capabilities

Continuously

Improve

Aggregate

Multiple

Risk

Measures

Link to

Enterprise

Performance

Formulate

Enterprise

-wide Risk

Strategy

Polling Question # 2

13

Which one of the following is a CRO’s top priority?

(a) Computer malfunctioning

(b) Harrassment of an employee

(c) Customer complaint

(d) Suspected fraud

ERM Journey

• Expand corporate governance

• Unexpected losses

• Implement strategic management

tool

• Rapidly changing environment

• KPI shortfalls and tightened profit

margins

• Manage changing business model

• Improve capital budgeting

decisions

• Improve management of new

economy assets

• Aggressive growth strategies,

including M&A

• Improved integration desired

• Address lack of change

readiness

• Incentives/rewards not aligned

• Address fragmented and narrow

focus

• Reduce reactive decision-making

• More holistic approach desired

14

Common reasons Other possible reasons

What Are Risks?

15

Business Risk – What Does it Mean

To an Organization?

• Externally-driven

• Internally-driven

• Decision-driven

16

Polling Question # 3

17

If a CRO has an unlimited budget to spend on Risk

Management, can the organization become 100% risk-free?

a) Yes

b) No

How Do We Handle Business Risk?

18

Sources of

Uncertainty

Environment Risk Uncertainties affecting the

viability of business model

Process Risk Uncertainties affecting the

execution of business

model

Information for Decision-

Making Risk

Uncertainties over the

relevance and reliability of

information that supports

the value-creation decisions

Building an Enterprise-Wide

Business Risk Management Approach

19

1. Identify

2. Source

3. Measure

4. Evaluate

5. Manage

6. Monitor

Basic Risk Management Strategies Avoid Divest

• Prohibit

• Stop

• Target

• Screen

• Eliminate

Retain Accept

• Reprice

• Self-insure

• Offset

• Plan

Reduce Disperse

• Control

Transfer Insure

• Reinsure

• Hedge

• Securitize

• Share

• Outsource

• Indemnify

Exploit Allocate

• Diversify

• Expand

• Create

• Redesign

• Reorganize

• Price

• Arbitrage

• Renegotiate

• Influence

20

Quick Reference Guide

21

High frequency Low frequency

High severity Avoid Transfer

Low severity Reduce Retain

Polling Question # 4

22

An insurance company would not find it profitable to insure

against something that has high frequency AND high severity.

• True

• False

Factors to Consider

When Selecting Risk Strategy

a) Objectives and strategies

b) Capability

c) Time horizon

d) Financing

e) Residual (basis) risk

f) Manageability

g) Scenarios

h) Environment

i) Operational versus contractual

j) Interfaces

k) Orientation

l) Compliance

m) Pervasiveness

n) Frequency

o) Data availability

23

Monitoring Continuous

Improvement

a) Existing priority risk

b) New emerging risks

c) Risk management performance

d) Specific measures, policies and

procedures

a) Benchmarking performance to

identify best practices

b) Four-way interactive

communications and knowledge

sharing

c) Integrating the firm’s risk

language and process into its

employee learning programmes

24

Risk Map

25

Business Interruption Resource Availability Competitor Actions Business/Public Influences

Future Regulations

Efficiency/Productivity Hiring/Retaining Economic Influence Reputation Capacity

Budget & Planning Health & Safety Environmental Currency

Financial Instruments Compliance Liquidity/Cash Flow

Credit Default

Contracts Interest Rate

Likelihood

Polling Question # 5

26

Which occupational fraud is the most frequent offense?

a) Asset misappropriation

b) Corruption

c) Financial-statement fraud

Risk Reporting

27

<--

- Fr

equ

ency Contents -->

Ris

k m

aps

actu

al/t

arge

t

List

dri

vers

of

key

risk

s

KP

Is w

ith

lin

k to

fin

ance

Met

rics

on

key

dri

vers

Pro

gres

s re

po

rts

Head

Annually Office x x

Board of

Minimum once a year Directors x x x

Executive

Managers and

Minimum twice a year Risk owners x x x x x

Organizational Oversight Structure

28

1. Board of Directors

2. CEO

3. Risk Management Executive Committee

4. Business risk management function

5. Business Units, Divisions & Functional support

and shared services

6. Risk management compliance & Internal audit

Polling Question # 6

29

Risk management is the responsibility of

a) Board of Directors

b) Chief Executive Officer

c) Chief Financial Officer

d) Chief Risk Officer

e) Everyone

f) No one

Corporate Governance Model

30

Boar of Directors

l

CEO

l

Risk Management

Executive

l

COO CFOl

CIO, CLOChief Risk

Officer____________________

Business risk

management function

l

l____

Risk management

compliance

l

------Business Unit A l Division A ------____

Legal and regulatory

compliance

Functional,

------Business Unit B support Division B ------ ____ VaR Review

and shared

------Business Unit C services Division C ------ ____ Internal audit

Summary

31

1. Establish oversight structure

2. Define common language and framework

3. Target risks and processes

4. Develop overall goals, objectives and processes

5. Assess risk management capabilities

You are most welcome to contact the presenter “Balaji” to further

discuss ERM

< hotmail.me.now@gmail.com >

32