UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: Enterprise Risk Management...
28
Board Governance - Enterprise Risk Management Forum for Corporate Directors – Leadership in the Board Room UC Irvine – The Paul Merage School of Business Executive MBA Program July 18, 2009
UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: Enterprise Risk Management (ERM)
1. Board Governance - Enterprise Risk Management Forum for
Corporate Directors Leadership in the Board Room UC Irvine The Paul
Merage School of Business Executive MBA Program July 18, 2009
2. Agenda Defining risk A new risk paradigm ERM a process point
of view Drivers of ERM ERM roles and responsibilities A practical
approach to ERM Enterprise risk assessment Risk management
framework assessment Page 2 UC irvine Executive MBA Enterprise Risk
Management
3. Defining risk A risk the threat that an event, action, or
non-action could adversely affect an organizations ability to
achieve its business objectives and execute its strategies
successfully. Page 3 UC irvine Executive MBA Enterprise Risk
Management
4. A new risk paradigm Leading organizations expand their view
of risks and enhance risk management beyond the traditional
compliance function. Keep Us Out of Trouble Make Our Business
Better Growing Number of Restatements Bigger Fines and Settlements
goal Coordinated Risk Activities Enhanced Business Processes
Expanding Stiffer Risk-Adjusted Effective Use Regulation Sanctions
Decisions of Technology Catastrophic Criminal Improved Risk Reduced
Total Reputational Indictments Reporting and Risk Spend
Consequences Disclosure All too confusing and overdone Must do it
Except when we get in trouble But how do we do it better? Page 4 UC
irvine Executive MBA Enterprise Risk Management
5. Enterprise Risk Management (ERM) a process point of view
Enterprise risk management is a e ns ng c nc gi t io process,
effected by an entitys rti ia te ra pl po ra pe m St Re board of
directors, management, Co O Internal Environment and other
personnel, applied in strategy setting and across the Objective
Setting enterprise, designed to identify Event Identification
potential events that may affect the Risk Assessment entity, and
manage risk to be Risk Response within its risk appetite, to
provide reasonable assurance regarding Control Activities the
achievement of entity Information & Communication objectives.
Monitoring Source: COSO Enterprise Risk Management Integrated
Framework Page 5 UC irvine Executive MBA Enterprise Risk
Management
6. Drivers of ERM
7. Greater complexity of business environment and decision
making Various internal and external drivers and developments
require companies to become more effective and efficient at
managing risks. External Drivers Internal Drivers Changing and
expanding regulatory More dynamic / business models and
requirements changing technology requirements Instability of
economic and market Greater distribution of business conditions
activities, locations, etc. Geo-political developments Increasing
interdependencies on Increasing litigations and fines business
relationships (alliances, JV) Focus on preservation and leverage of
Increasing scrutiny by rating agencies intangible assets and
listing exchanges Greater sophistication and scrutiny by Increasing
cost and/or scarcity of board members resources (material and
labor) Focus on risk-adjusted decision making Rapidly changing
competitive landscape Others Others Page 7 UC irvine Executive MBA
Enterprise Risk Management
8. Business advantages of good risk management Benefits for
stakeholders: Benefits for the Surveys point to the value the
financial markets and organization: investment analysts ascribe to
those companies that Avoid surprises can demonstrate good risk
management. A routine process to identify and manage Fewer negative
surprises potential issues Better governance Greater financial
stability Clear risk roles and responsibilities Greater certainty
of profitability Clear risk communication, Lower investment risk
language, reporting and escalation Better long-term share price
performance Better decision making Greater confidence to retain /
Considering the business increase stake impact of a broader range
of scenarios Greater transparency Efficiencies Lower share price
volatility More effective and efficient risk functions Adds company
value Less overlap and fewer 0 5 10 15 20 25 30 35 gaps in risk
coverage % of respondents (N = 137) Page 8 UC irvine Executive MBA
Enterprise Risk Management
9. Shareholder value of risk management A survey of 137
institutional investors managing some of the worlds largest funds
concluded the following on the question if it was worth paying a
premium for companies that can demonstrate a successful approach to
risk management. Strongly Agree (31%) Agree Somewhat (51%) Disagree
somewhat (6%) Strongly disagree (7%) Not specified (5%) Source:
Global Risk Survey of 137 Institutional Investors managing the
worlds largest funds, November 2005 Page 9 UC irvine Executive MBA
Enterprise Risk Management
10. ERM consideration in the S&P debt rating evaluation
Scoring ERM in the debt rating process: S&P indicates that
assessing a companys risk management capabilities is the most
subjective of all areas when assigning a credit rating The process
started to roll out in Q3 of 2008 with the introduction of the
framework model and a focus on building specific industry
benchmarks Rating adjustments expected in Q1/Q2 2009 Ultimately,
the evaluation of risk management may directly impact an
organizations cost of capital Page 10 UC irvine Executive MBA
Enterprise Risk Management
11. ERM roles and responsibilities
12. ERM roles and responsibilities (examples) Board of
Directors ERM Steering Committee Is ultimately responsible for ERM
program Assembles executive from key functional areas Approves risk
appetite and risk tolerances and risk management functions
Contributes knowledge on risks specific to Approves risk catalog
and assessment methods particular business functions Sets standards
regarding risk policies and Communicates directly with business
unit programs managers to promote ERM and obtain relevant Monitors
the quality of the program information Shares experiences regarding
risk strategies and CEO risk mitigation tactics Coordinates design,
implementation, and Coordinates ERM training and reporting
monitoring of the ERM program Contributes to the definition of risk
policy, Risk Owner appetite, and tolerance Assumes responsibility
for the implementation, Assigns roles and responsibilities for
design, use, and monitoring of risk management implementation, and
monitoring techniques Decides on resource allocations for risk
Contributes to risk assessment and ensures that management
strategies risk response strategies remain pertinent and effective
Decides on risk indicators, thresholds, and implementation of risk
response strategies Documents implemented ERM efforts and reports
on relevant risk issues / developments Reports to the board on risk
issues Page 12 UC irvine Executive MBA Enterprise Risk
Management
13. The role of Internal Audit Coordinating of k Cons RM
framewor RM Co t of E oli al a ch dated ov hmen ing ppr Fa te repo
rd a ERM activities cil ma veloping the E e ti ablis ita nag pp boa
tin rting R ka ev gi g est e es for ie me ris de w ss o n ri s in
nti he egy nt i ce g n fic gt ro pioni th n re e ati t ra t tp ttin
ks Ev m de en s on alu an isk Ms spo Se Cham em ati ag r &
Maintaining & ng on ag em ER ev ndi th e e nc an alu en ra ng
re m ng po to u ss ati k rtin fk opi to r ris Ev a a on lua go ey
nt es ons ng e v el isk of ting fk ris em sp si ey ag k re po risk
ks De ris s ris n ris Im ma Ma ks nag ks s on em ent is ion Givin
pro dec lf g ass ces kin g beha uran ses Ma ents ce th agem at ris
man ks ar e cor ons e on rectly resp evalu g risk Giving assura
ated m entin nc e on the risk Imple for risk manag ement managemen
t pr ocess Accountability Core internal audit roles Legitimate
internal audit Roles internal audit in regard to ERM roles with
safeguards should not undertake Source: IIA UK The Role of Internal
Auditing in Enterprise-wide Risk Management Page 13 UC irvine
Executive MBA Enterprise Risk Management
14. A practical approach to ERM
15. High-level risk management lifecycle Establish Risk
Identify Value Develop consistent risk Context & Drivers
taxonomy and risk Governance repository and align relevant risks
with value drivers (strategies, objectives, initiatives) Monitor
& Report Risk Management Identify Risks Components Risk Culture
Frequently monitor Define consistent effectiveness of risk Policy
& Mandate assessment criteria response (e.g., controls)
Infrastructure & People based on risk appetite and report on
results and tolerances and Methods & Practices assess relevant
risks Information & Technology Assess Risk Assess Risks
Response Conclude on preliminary Define appropriate risk
effectiveness of risk response strategy (i.e., response and develop
Develop Risk acceptance, mitigation, action plan for monitoring
Response sharing, transfer, etc.) Page 15 Avery Risk assessment /
ERM workshop
16. A practical approach to ERM Enterprise Risk Assessment Risk
Management (ERA) Transformation 1 Identify, assess and prioritize
the key risks to achieving the organizations Define improve and
monitor efforts for the most significant business objectives risks
to business objectives Embed and sustain ongoing risk assessment
and monitoring into 3 existing management processes Alignand
coordinate risk and control groups across the Risk Management
Framework breadth of the organization Assessment (RMFA) 2 Define
focus areas for framework Evaluate the maturity of design and
enhancements aligned to consistency in application of the risk
industry risks and leading management and internal control practice
benchmarks framework Page 16 UC irvine Executive MBA Enterprise
Risk Management
17. A practical approach to ERM (overview) 1 2 Enterprise Risk
Risk Management Framework Assessment Assessment Ke y b u s in e s C
o m p r e h e n s i v e r is k c o v e r a g e s K e y b u s in e s
s R is k a n d o b je c t iv r is k s c o n t r o l a c t iv it ie
s C o o r d i n a t i o n a c r o s s t h e li n e s o f d e f e n
s e e s New Product Revenue and Treasury Internal Executive
Development market share Strate gic As s e s s Audit management
Monitoring and control functions y g e t a r t s s s e ni s u B
Operations and business units Marketing & IT Advertising
Reputation Support functions and brand Operations Sourcing &
Compliance Board Tax Oversight Procurement Im p r o v e Asset
Manufacturing Finance Audit Financial & Production Internal
control and capital committee management Distribution Legal &
Logistics Earnings and Risk Other operating Complianc e M o n it o
r Customer Management committees HR margins Support A li g n m e n
t t o b u s i n e s s o b je c t iv e s Page 17 UC irvine Executive
MBA Enterprise Risk Management
18. ERA identifying risks in the context of the business
drivers Changes to Strategy, Merger and People, Process,
Acquisition Activity Technology Reputation and Brand Do the
stakeholders have a favorable view? Revenue and Asset and Market
Share Capital Management How does the Business Drivers How
efficient organization grow? is the organization? Earnings and
Operating Margins New Product and Service How profitable is
External Events or the organization? Developments Developments Page
18 UC irvine Executive MBA Enterprise Risk Management
19. ERA a common categorization and understanding of risks A
common risk taxonomy and risk assessment method is the cornerstone
of an effective ERA process. RiskUniverse Categories Key Questions
Planning and Resource Allocation What are our key risks and how do
we Major Initiatives Strategic Mergers, Acquisition and Divestures
measure the relevance of those risks? Market Dynamics Communication
and Investor Relations Are we focused on the risks that matter?
Sales & Marketing Supply Chain Operations People Who is
accountable for the key risks? Information Technology Hazards Are
resources aligned to our risk profile? Physical Assets Market
Financial Liquidity and Credit Are we accepting the right level of
risk? Accounting and Reporting Tax Are we receiving a fair return
on that risk? Capital Structure Governance Compliance Code of
Conduct Who is monitoring the significant risks? Legal Regulatory
How are we improving key controls? Page 19 UC irvine Executive MBA
Enterprise Risk Management
20. ERA common techniques to assess and prioritize risks A
company may employ quantitative or qualitative risk assessment
models, which need to be understood and accepted by the respective
risk owners and executive management: Quantitative Models
Qualitative Models Methods / Value at Risk (VaR) Risk map
Techniques Cash Flow at Risk (CaR) Self-assessments, interviews,
Earnings at Risk (EaR) or facilitated workshops Monte Carlo
Simulation SWOT analysis Others Scenario analysis Others Assessment
Target or industry Risk Assessment Criteria (RAC) with Criteria
benchmarks impact and likelihood thresholds Important Requires
availability of sufficient Knowledge and judgment of Consideration
amount of data or individuals involved is critical understanding of
models Well suited where risks dont lend Well suited for financial
risks themselves for quantification Page 20 UC irvine Executive MBA
Enterprise Risk Management
21. ERA relating risk appetite, risk tolerance and risk limits
to prioritize risks Risk The broad based amount of risk a company
is able to accept in pursuit of its Capacity mission, vision,
business objectives and overall strategic goals - directly related
to an entitys capital, liquidity and external stakeholder influence
The broad-based aggregate amount of risk a company is willing to
accept in Risk pursuit of its mission, vision, business objectives
and strategic goals - directly Appetite related to an entitys risk
capacity as well as its culture, desired level of risk, risk
management capability and business strategy The specific maximum
applicable to each category of risk regarding the Risk magnitude of
risks that the organization is willing to take to achieve its
strategy and objectives - set such that the aggregation of risk
tolerances ensures the Tolerance organization operates within the
risk appetite The optimal level of risk that the organization
desires to take to achieve specific business objectives and operate
within its appetite/tolerance for risk Risk Target defines the
balance between risk and reward - risk target is based on the
managements desired returns, the role of risk to achieve those
returns and capability to manage the risk/reward profile Thresholds
to ensure that variation from expected outcome will be consistent
with the risk target, but will not exceed the risk
appetite/tolerance defines Risk Limits process level controls and
management authorities and should reflect risk limits Page 21 UC
irvine Executive MBA Enterprise Risk Management
22. ERA risk map / assessment outputs (example) Risk No Tier 1
risks High 25.0 1 Emerging Markets Growth 1 Liquidity Cash Improve
Monitor 2 Management 20.0 6 Controls 3 Key Supplier Dependence 3
(Impact x likelihood) 2 5 12 4 Debt Cost of Capital Risk exposure
15.0 9 5 IT Security and Privacy 4 7 11 6 Sourcing - Global 10.0
Competition 8 10 IT - Infrastructure 7 Efficiency Monitor Accept
Joint Venture 5.0 8 Relationships Risks Optimize Ineffective
Financial 9 Planning and Forecasting 0.0 Competitive Recruitment
Low 10 and Retention 1.0 2.0 3.0 4.0 5.0 Focus and alignment of Low
Management preparedness High 11 Acquisitions and Integration
Evolving Regulatory 12 Changes United States Markets Page 22 UC
irvine Executive MBA Enterprise Risk Management
23. RMFA a view of required competencies Leveraging the
information obtained through the ERA, the company evaluates the
design and application of the risk management competencies to
define improvement opportunities. Do we have the proper oversight
on risk and control? Are risk decisions made with proper guidance?
Strategy Governance & Mandate Does the culture encourage taking
the appropriate risks? s Im es pro People Are efforts effectively
aligned and s As v coordinated to manage risk? e Are risk and
control activities efficient Methods and Practices and effective?
How are risks and controls assessed, monitored and improved?
Monitor Page 23 UC irvine Executive MBA Enterprise Risk
Management
24. RMFA key focus areas to be assessed The evaluation of an
organizations risk management capabilities should be focused on a
variety of key components and identify opportunities for
enhancements across the organization. Governance People Methods and
Practices Tone At The Top Culture and Performance Risk
Identification and Assessment Strategies and Alignment and
Objectives Coordination Risk Management Design and Policy and
Procedures Competence and Effectiveness Capabilities Organizational
Process Improvement Structure Roles and and Efficiency
Responsibilities Compliance Monitoring and Communication Reporting
Technology Page 24 UC irvine Executive MBA Enterprise Risk
Management
25. Wrap-up
26. P rinciple s of Effe of successful ERM programs 6 key
elements ctive Ris k Ma na ge me nt Agreed risk strategy The Board
and management must provide guidance on the appropriate strategy
and E&Ys ERM point of view approach to Risk Management aligned
to the organizational strategy. Clear governance framework The
Board will usually delegate day-to-day governance through an
oversight structure that includes an enterprise risk committee
and/or a chief risk officer. Efficient Risk Management processes
The organization needs defined procedures for assessing and
continuously monitoring risks on an enterprise wide basis.
Appropriate technology Effective systems providing access to
information about risk identification, assessment and solutions to
support the Risk Management processes. Coordination of Risk
Management functions Integrated risk functions embedded within the
business to leverage expertise across the entire organization. The
right culture and capability Everyone in the organization must be
attuned to the risk culture and performance measurements must be
risk based. Page 26 UC irvine Executive MBA Enterprise Risk
Management
27. Parting comments A ship in harbor is safe -- but that is
not what ships are built for. John A. Shedd, Salt from My Attic,
1928 Questions? Page 27 UC irvine Executive MBA Enterprise Risk
Management
28. Speakers bio Peter Rosenzweig has more than 17 years
experience in the assessment, design, and implementation of complex
risk management and internal control frameworks, including IT risk
and control structures. Peter serves as regional subject matter
resource in the application of Ernst & Youngs Enterprise Risk
Management methodology and he has assisted various large
organizations with the implementation or transformation of
enterprise-wide risk management capabilities. Contact Information
Peter Rosenzweig Ernst & Young LLP Risk Advisory Services
Direct: 213.977.5849 [email protected] About Ernst &
Young Ernst & Young is a global leader in assurance, tax,
transaction and advisory services. Worldwide, our 130,000 people
are united by our shared values and an unwavering commitment to
quality. We make a difference by helping our people, our clients
and our wider communities achieve potential. For more information,
please visit www.ey.com. Ernst & Young refers to the global
organization of member firms of Ernst & Young Global Limited,
each of which is a separate legal entity. Ernst & Young Global
Limited, a UK company limited by guarantee, does not provide
services to clients.