Rethinking Risk in Finance – Growing Role of CFO as CRO - Dirk erlenkoetter

© 2015 Belden Inc. | belden.com | @BeldenInc.

Dirk Erlenkoetter Internal Audit Manager EMEA

Belden Inc.

Vienna, CFO Zone 2015 – 8th May 2015

Rethinking Risk in

Finance – Growing

Role of CFO as CRO

© 2015 Belden Inc. | belden.com | @BeldenInc. 2

AGENDA

1. Introduction – Company & Speaker

2. Risk Management Regulations

3. Self-Assessment and Facts & Figures

4. Risk Management Standards

5. Organization & Objectives of Risk Management

6. Risk Assessment & Risk Report

7. Enterprise-wide Risk Management

8. Corruption Risk Management



A Rich Heritage

• Founded by Joseph Belden

in 1902 in Chicago

• A long history of innovation for

communications technologies

• Early customers

included Thomas Edison

• CEO John Stroup, Headquarter St. Louis, MO

• Ca. 8,700 employees

• NYSE: BDC

• Operations in North and South America,

Europe, Middle East, Africa and Asia Pacific

• Revenue $3.2B

• 30+ Sales Offices; 30+ Manufacturing Facilities

Radio in the

1920s

TV in the

1950s

Computer Networking

in the 1980s and 1990s

Joseph Belden Thomas Edison

Business Platforms Applications Vertical Markets

Delivering highly engineered signal transmission

solutions for mission-critical applications in a

diverse set of global markets

Industrial

Enterprise

Broadcast

Data

Video

Sound

Belden Today


Transformation from a Regional Cable Supplier to a Global Signal Transmission

Solutions Provider

Belden Business System

Strategy, Culture and Values

2009 2010 2011 2012 2006 2005 2007

Industrial Connectivity

Q2

Industrial IT Q1

Broadcast Q4

Broadcast Q4

Industrial IT Q4

Industrial IT Q3

Broadcast Q1

Broadcast Q4

Broadcast Q3

Communication Products Industrial

Connectivity Q2

2014

Broadcast Q1

Industrial IT Q2

2015

Q1



Four Business Platforms Delivering

Innovative Connectivity Solutions

• Connectors

• Industrial Cable

• Patch Cords

• Distribution Boxes

• Customized

Connectivity Solutions

Industrial


• Ethernet Switches,

Routers and Gateways

• Security Devices

• Network Management

Software

Industrial IT

Solutions

• Racks and Enclosures

• Copper and Fiber

Connectivity

• Ethernet, Fiber Optic

and Coaxial Cabling

• Custom Infrastructure

Solutions

Enterprise


• Broadcast Cameras

• Live Production Systems

• Routers and Interfaces

• Broadcast Connectors

• Broadband Connectivity

• Playout Systems

Broadcast

Solutions


http://www.alphawire.com/en/default.aspx



Dirk Erlenkoetter

• Internal Audit Manager EMEA Belden Inc.

• Director Internal Audit SKW Stahl-Metallurgie Holding AG

• Interim-CFO Magna Seating Czech Divisions

• Senior Internal Auditor Magna International Germany GmbH

• Audit Manager Salzgitter Klöckner-Werke GmbH

• Auditor Internal Audit & Integrity Services BDO Germany



Dirk Erlenkoetter

• Graduated in Business Administration and Graduated in Law

• Certified Risk Manager

• Certified Compliance-Officer

• Certification in Control Self-Assessment (CCSA)

• Speaker at


2. Risk Management Regulation

Laws Enacted:

• «Obligationenrecht» Switzerland

• «Gesetz zur Kontrolle und Transparenz im Unternehmensbereich

(KontraG) 1998» Germany

• “Bilanzrechtsmodernisierungsgesetz (BilMoG) 2009” Germany

• «Verbandsverantwortlichkeitsgesetz» Austria

• «Sarbanes-Oxley Act (SOX) 2002» USA

SOX was enacted as a reaction to a number of major corporate

and accounting scandals (Enron, incorrect disclosed profit,

Worldcom, fraudulent entries).

Top management must individually certify the accuracy of

financial information; penalties for fraudulent financial activity are

much more severe.

SOX increased the oversight role of boards of directors and the

independence of the outside (and internal) auditors who review

the accuracy of corporate financial statements.


SOX created the Public Company Accounting Oversight Board

(PCAOB), charged with overseeing, regulating, inspecting, and

disciplining accounting firms in their roles as auditors of public

companies; the act also covers issues such as Auditor

Independence, Corporate Governance, Internal Control

Assessment, and enhanced financial disclosure.

SOX Section 302 – Disclosure Controls: mandates a set of

internal procedures designed to ensure accurate financial

disclosure, the officers must "have evaluated the effectiveness of

the company’s internal controls”.

SOX Section 404 – Assessment of internal control: mandates

management to select an internal control framework and then

assess and report on the design and operating effectiveness of

their internal controls annually. This is the most costly aspect of

the legislation for companies to implement, as documenting and

testing important financial manual and automated controls

requires enormous effort.



SOX Section 404 – Management is responsible for performing

their assessment in the context of a top-down risk assessment

(which requires management to base both the scope of its

assessment and evidence gathered on risk); according to several

board by-laws: CFO is responsible for Risk Management.

Quantification of risks: Risk Controlling

BUT: Concretion of risk management was not provided in any

regulation



Motivation of Risk Management:

• Organizations of all types and sizes are facing several internal and

external factors and influences that make it uncertain whether and when

they will achieve their objectives;

• The effect this uncertainty has on an organization’s objectives is «risk»;

• Globalization increases uncertainty (financial, markets, production,

banking);

• Complex structure and processes, missing interfaces;

• Loss prevention;

• Silo mentality;

• Conflict of interests.



So what does all this mean for practitioners?

The biggest change is shifting an organization’s

risk focus from a rear-window view to what we

can call «a global positioning orientation»!



Maturity of Risk Management:

• Compliance with regulatory requirements

Basic Risk Management

• Reconciliation of Forecast and Risk Maps

• Integration in Budget and Forecast

• Forecasting Scenarios und Overall Risks / Risk Exposure

Advanced Risk Management

• Risk Bearing Ability / Net Risk Exposure

Optimized Risk Management



Deloitte-Survey 2014:

• 40 % of biggest global corporations lost more than 20% of their

shareholder value in the last 10 years in only one month;

• 90 % of losses were generated by aggregated risks;

• Huge losses due to risks characterized by a high negative impact but a

low likelihood;

• In all corporations a risk management functions to control and monitor

risks was established by the management.



Survey Horvath & Partners 2011:

• 25 % of the interviewed companies have no formalized risk

management process implemented;

• Significant improvement has been noted concerning the risk

management integration;

• Main objectives were compliance with regulation, business continuity /

going-concern and encouragement of risk awareness;

• > 50 % of the interviewed companies identified significant room for

improvement regarding risk management.



Survey ACE European Group / Economist Intelligence Unit 2007:

• 97 % of 218 interviewed managers believe that risk management is a

competitive advantage / unique selling proposition;

• Risk Management takes an important role in increasing shareholder

value;

• Reputation risk is for 40 % of the interviewed managers the most

important risk;

• 60% of the interviewed managers said that the budget for risk

management increased in the last years;

• Risk management development is focused on risk reporting, training

and enhancement of risk analysis;

• Increase of risk management resources.



Standards:

• 1999: IDW PS 340 External Audit of Risk Management as part of the

year-end audit activity (conducted by year-end auditor)

• 2002: «Deutscher Corporate Governance Kodex» (DCGK) German

Corporate Governance Code

• 2004: «Committee of Sponsoring Organizations of the Treadway

Commission» COSO Framework I & II

• 2004: ONR 49000 ff. (ON-Regelwerk 49000 Risk Management for

Organization and Systems)

• 2008: ISO 31000 Guideline on Principles and Implementation of

Risk Management

• DIIR Revisionsstandard Nr. 2 Institute Internal Auditors Germany

• ISO 22301:2012 Business Continuity Management System (the world‘s

first international standard for Business Continuity Management)



What is COSO?

• Committee of Sponsoring Organizations of the Treadway Commission

(COSO) is a voluntary privatesector initiative dedicated to improving

organizational performance and governance

through effective internal control, enterprise risk management,

and fraud deterrence.

• Five nonprofits are its sponsoring organizations:

(1) AAA (American Accounting Association),

(2) AICPA (American Institute of Certified Public Accountants),

(3) FEI (Financial Executives International),

(4) IIA (Institute of Internal Auditors), and

(5) IMA (Institute of Management Accountants).



COSO I (left, Internal Controls) and COSO II (right, ERM)

Framework for Internal Controls

focused on accounting and financial

reporting

Enhanced framework for Enterprise

Risk Management



COSO I: 1992 Internal Control – Integrated Framework

• SOX 404 requires management at public companies to select an

internal control framework and then assess and report on the design

and operating effectiveness of their internal controls annually.

COSO II: 2004 COSO Enterprise Risk Management (ERM)

• ERM defined as a top-down process, input for corporate strategy,

holistic approach (Internal Environment, Objective Setting, Event

Identification – positive / negative, Risk Assessment, Risk Response,

Risk Monitoring).

• COSO more than any framework places a greater degree of

responsibility on the board, requiring not only that the board support

ERM, but have direct involvement in the ERM process.



• To achieve their mission, organizations need to develop interrelated

strategies and objectives across the enterprise; the COSO ERM

Framework breaks these strategies and objectives into four distinct

categories:

Strategic Risks: Organizations need to consider a number of

sustainability issues, many of which can have a significant

strategic impact (range from marketing position and changing

customer demand to strategic investments, stakeholder

communications and investor relations).

Operational Risks: Changes in weather patterns, escalating

impacts of natural disasters, other extreme weather events, rising

propulation, lack of natural resources, supply chain impacts.

Compliance Risks: New and expanding regulatory compliance

risks.

Reporting Risks: Transparent, accurate and precise reporting,

reporting on sustainability.



• The COSO ERM Framework builds on eight interrelated components to

establish effective ERM:

(1) Internal Environment: reflects the tone of an organization and

how it considers and manages risk (what is the risk appetite?).

Important: This is an opportunity for Top Management to

proactively align and drive the organization!

(2) Objective Setting: backdrop for risk considerations and

management activities.

(3) Event (Risk) Identification: organizations need to evaluate all

risk exposures relative to potential sustainability issues; most

risk identification scales include three to five impact dimensions,

which are graduated from low (minimal) impact to high

(catastrophic) impact.

(4) Risk Assessment: risk root cause and sensitivity analysis to

understand the drivers and pathways of organizational risks.



(5) Risk Response: risk responses should be tied to the drivers of

risk and anchored in what is an acceptable range of solutions.


Risk Treatment

1. MITIGATE - Corrective action to eliminate or reduce

impact or likelihood

2. AVOID - Cease activity to eliminate risk

3. TRANSFER - Shift impact to another entity

4. ACCEPT - No corrective action. Document acceptance

decision and monitor

(6) Control Activities: sustainability resources, the controller’s

office, operations and other relevant stakeholders can work

closely together to develop policies and procedures that

effectively execute risk responses.


Important: Internal Audit can also perform audits to evaluate the

effectiveness of sustainability practices, communication

protocols and reporting initiatives. These audits enable the

organization to obtain independant analysis of the design and

operating effectiveness of sustainability initiatives!

(7) Information and Communication: critical factors for managing

risks and opportunities, particularly those associated with

sustainability

(8) Monitoring: to ensure that an organization is achieving its

objectives, staying within its risk tolerance threshold and

satisfying stakeholders, it should constantly monitor and

evaluate the sustainability activities it undertakes.



International Organization for Standardization (ISO): ISO 31000

• Worldwide federation of national standard bodies.

• This international standard establishes a number of principles that need

to be satisfied to make risk management effective.

• This international standard recommends that organizations

develop, implement and continuously improve a framework;

purpose is to integrate the process for managing risk into the

organization's overall governance (strategy and planning,

management, reporting processes, policies, values and culture).

• ISO 31000 is shifting from an event to the effect risk and risk

management has on organization‘s objectives (trying to predict events

can be difficult, objectives typically are clearer and more precisely

articulated).



International Organization for Standardization (ISO): ISO 31000

• ISO 31000 put the emphasis squareley on risk management as a

strategic discipline for making risk-adjusted decisions, rather than a

compliance-based function.

• ISO 31000 is not designed to provide assurance around controls, it

focuses on the actions taken on identified risks.

• Although the practice of risk management has been developed over

time and within many sectors in order to meet diverse needs, the

adoption of consistent processes within a comprehensive framework

can help to ensure that risk is managed

effectively,

efficiently,

and coherently across an organization.



Arial Text (Grösse und Fettigkeit der Schrift frei wählbar)



Dimensions of Risk Management:

(1) Risk transparency / insight (Risk Inventory and Risk Reports)

(2) Risk appetite / strategy (How much risk is comfortable? What kind of

risk am I willing to take, and how I expect to profit from those risks?

What is my risk capacity?)

(3) Risk-related business processes and decisions (Strategic planning,

capital allocation, financing)

(4) Risk organization and governance (Risk Group Board, Divisional

CEO’s and CFO’s, Risk Management Board, Corporate Internal Audit,

Corporate Risk Management)

(5) Risk culture (all norms of behavior for individuals and groups within the

company that determine the collective willingness to accept or take a

risk, and the ability to identify, understand, discuss, and to act on risks)



Objectives of Risk Management:

(1) Increase the likelihood of achieving objectives

(2) Encourage proactive management

(3) Need to identify and treat risk throughout the organization

(4) Comply with relevant legal und regulatory requirements and

international norms

(5) Improve Financial Reporting

(6) Improve Governance

(7) Improve stakeholder confidence and trust

(8) Establish a reliable basis for decision making and planning

(9) Improve Controls



Risk Management Mistakes (Survey in Harvey Business

Manager 2009):

(1) Historical data

(2) Imprecise operating figures

(3) Ignore recognizable risks

(4) Ignore hidden risks

(5) Improper risk communication

(6) Improper risk response



Risk assessment is the overall process of risk identification, risk

analysis and risk evaluation.

(1) Risk Identification

• The organization should identify sources of risk, areas of impacts,

events (including changes in circumstances) and their causes and their

potential consequences:

Generate a comprehensive list of risks based on those events

that might create, enhance, prevent, degrade, accelerate or

delay the achievement of objectives;

Comprehensive identification is critical, because a risk that is

not identified at this stage will not be included in further analysis.

• Identification should include risks whether or not their source is under

the control of the organization, even though the risk source or cause

may not be evident:

Cascade and cumulative effects!



All significant causes and consequences should be considered;

The organization should apply risk identification tools and

techniques that are suited to its objectives and capabilities, and

to the risks faced (Risk Inventory Tools).

• Practical approach is Risk Ownership of experts on different group

levels to achieve a holistic and consistent understanding of risks, which

potentially could impact a company.

• Results are assessments and scenarios on a subjective basis.

• Sources of risk identification: discussions, budget, forecast, judgment,

information from other departments (Internal Audit, Compliance, etc.).

• Methods of risk identification: most common is a risk universe / risk

catalog, IT-tools (risk inventory system, risk management system),

workshops, interviews, key ratios; also: Failure Mode and Effect

Analysis (FMEA), Fault Tree Analysis (FTA), Analysis of Variance

(ANOVA), Delphi Method.



(2) Risk Analysis

• Developing an understanding of the risk and provides an input to risk

evaluation and to decisions on whether risks need to be treated.

• Involves consideration of the causes and sources of risk, their positive

and negative consequences, and the likelihood that those

consequences can occur:

Factors that affect consequences and likelihood should be

identified;

Risk is analyzed by determining consequences and their

likelihood;

An event can have multiple consequences and can affect

multiple objectives. Existing controls and their effectiveness and

efficiency should also be taken into account;

It is also important to consider the interdependence of different

risks and their sources;



Factors such as divergence of opinion among experts,

uncertainty, availability, quality, quantity and ongoing relevance

of information, or limitations on modelling should be stated and

can be highlighted.

• Analysis can be qualitative, semi-quantitative or quantitative, or a

combination of these, depending on the circumstances.

• Consequences and their likelihood can be determined by modelling the

outcomes of an event or set of events, or by extrapolation from

experimental studies or from available data.

• Consequences can be expressed in terms of tangible and intangible

impacts.



(3) Risk Evaluation

• The purpose of risk evaluation is to assist in making decisions, based

on the outcomes of risk analysis.

• Risk evaluation involves comparing the level of risk found during the

analysis process with risk criteria established when the context was

considered:

based on this comparison, the need for treatment can be

considered;

two dimensional evaluation Likelkihood and Impact (positive or

negative);

product out of Likelihood and Impact is the Expected Value;

evaluation on gross and net basis ;

evaluation by a single value.



(3) Risk Evaluation

• Example: Brazilian Division



(3) Risk Evaluation

• Highly exposed risk / difficult circumstances: distribution function

as triangular distribution or multinomial distribution can facilitate

the risk evaluation

graph triangular distribution

Best case

Most Likely

Worst case

easy to apply

evaluation of likelihood not

necessary



(4) Risk Report

• Risk Reporting at least on quaterly basis

• Risk Reporting Addressee‘s: shareholder, stakeholder, investors, senior

management / board, supervisiory board / Verwaltungsrat, internal /

external auditors

• Top Group Risks / Top Entity Risks

• Best Practice: Risk Reporting including all risks exceeding the net

evaluation of likelihood > 50%

• Management Summary on annual basis



(4) Risk Report

• Risk Map



What is Enterprise-wide Risk Management (ERM)?

• ERM is a structured, consistent and continuous process across the

whole organization for identifying, assessing, deciding on responses to

and reporting on opportunities and threats that affect the achievement

of its objectives.

Responsibilty for ERM?

• The board has overall responsibility for ensuring that risks are

managed.

• In practice, the board will delegate the operation of the risk

management framework to the management team.

• Everyone in the organization plays a role in ensuring successful

enterprise-wide risk management but the primary responsibility for

identifying risks and managing them lies with management.



Benefits of ERM

• Greater likelihood of achieving objectives;

• Consolidated reporting of disparate risks at board level;

• Improved understanding of the key risks and their wider implications;

• Identification and sharing of cross business risks;

• Greater management focus on the issues that really matter;

• Fewer surprises or crises;

• More focus internally on doing the right things in the right way;

• Increased likelihood of change initiatives being achieved;

• More informed risk-taking and decision-making.



The activities included in ERM

• Articulating and communicating the objectives of the organization;

• Determining the risk appetite of the organization;

• Establishing an appropriate internal environment, including a risk

management framework;

• Identifying potential threats to the achievement of the objectives;

• Assessing the risks (impact / likelihood of the threat occurring);

• Selecting and implementing responses to the risks;

• Undertaking control and other response activities;

• Communicating information on risks in a consistent manner at all levels

in the organization;

• Centrally monitoring and coordinating the risk management processes

and the outcomes, and

• Providing assurance on the effectiveness with which risks are

managed.



Providing Assurance on ERM

• One of the key requirements of the board or its equivalent is to gain

assurance that risk management processes are working effectively and

that key risks are being managed to an acceptable level;

• This assurance should be completed by the provision of objective

assurance, for which the internal audit activity is a key source!



2011 Risk and Insurance Management Society (RIMS) Executive

Report: Risk Maturity Model for Enterprise Risk Management (ERM)

(1) ERM-based approach: Gaining executive support within the corporate

culture

(2) ERM process management: Integrating ERM into business processes

(3) Risk appetite management: Establishing accountability within

leadership and policies to guide decision-making

(4) Root cause discipline: Binding events to their process sources

(5) Uncovering risks: Performing risk assessments to document risks and

opportunities

(6) Performance management: Executing organizational vision, mission

and strategy through outcomes-based measurements

(7) Business resiliency and sustainability: Integrating ERM into operational

planning and execution



Example: Risk Management Workflow (Risk Inventory)





• Wherever multinational companies are active, they are subject to more

anti-corruption legislation than ever before; meanwhile, as international

legislation becomes increasingly strict as well as more widespread,

corruption itself remains a broad and complex problem.

• What is “Corruption”?

“Corruption” can include graft, bribery, facilitation payments or

other forms of improper business practice: Corruption can

assume all kinds of local nuances which may be euphemisms

for illegal and unethical business practices.

• How do I handle this from a CFO-Perspective:

The best approach is to conduct a comprehensive corruption

risk assessment, and the more tailored the assessment is to

your operations and requirements, the better your organization

will be protected against the risks that might occur.



• SOX Sections 302 and 404 together also require to perform a fraud risk

assessment and include to establish a anti-fraud program.

• As stringent anti-corruption legislation comes into force (FCPA, UK

Bribery Act), you should be conducting a more specific assessment of

the risks your company faces. You will need to know whether or not your

organization can operate commercially in a given environment, and in

compliance with all relevant legislation.

• In the case of the UK Bribery Act, the Serious Fraud Office (SFO) states

that corruption cases involving companies that can prove they have

‘adequate procedures’ in place to mitigate against corruption risk are

more likely to avoid charges for single offences. A bespoke corruption

risk assessment is an essential first step towards adhering to the six

general principles that make up the SFO’s ‘adequate procedures’:



• What are adequate procedures? The UK’s six anti-corruption general

principles:

(1) Risk Assessment

(2) Top-level Commitment

(3) Due Diligence (3rd Parties)

(4) Clear Practical and Accessible Policies and Procedures

(5) Effective Implementation

(6) Monitoring and Review



• Proactive Anti-Fraud Program to comply with regulatory requirements

and maximize stakeholder value; promoting anti-fraud environment!

• The program needs full support and proper implementation from the

organization to reduce the risk of fraud and increase the likelihood that,

if fraud does occur, it will be detected at an early stage;

• Certain conditions can create a fertile environment for fraud, including:

Lack of awareness by management of the organization’s fraud

risk factors

Inadequate organizational structures, policies and procedures

Insufficient emphasis on, and understanding of, ethical duties

throughout the organization

Insufficient knowledge of the warning signs of fraud

Ineffective mechanisms for reporting, investigation and

remediating fraud

Ineffective board and audit committee oversight


© 2015 Belden Inc. | belden.com | @BeldenInc.

CONTACT:

Dirk Erlenkoetter Internal Audit Manager EMEA

Belden Inc.

Edisonstraat 9

P.O. Box 9, 5900 AA Venlo

The Netherlands

Direct: 0031-77-3878-278

Mobile: 0049-171-7903066

Email: [email protected]

Economy & Finance

Rethinking Risk in Finance – Growing Role of CFO as CRO - Dirk erlenkoetter