Enterprise Risk Management (ERM) ‘Integrated Framework’ IMPLEMENTATION Risk Management Vision and Objectives Conducting Risk Assessments FUNDAMENTALS & ROLES • • • • • • • The Fundamentals COSO Enterprise Risk Management Role of Executive Management Role of the Director Role of the Chief Risk Officer Risk Management Oversight Structure Role of Internal Audit IMPLEMENTATION • • • • • • • • Risk Management Vision and Objectives Conducting Risk Assessments Getting Started – Set the Foundation Building & Enhancing Capabilities Building a Compelling Business Case Making it Happen Relevance to Sarbanes-Oxley Compliance Other Questions RM Vision and Objectives How does management develop a shared vision for the role of risk management in the organization? What is the practical use of a shared vision? senior management working group “risk management vision” develops a shared view of the role of risk management in the organization and the capabilities desired to manage its key risks (“big picture view”) RM Vision and Objectives Risk management vision “call for action” to drive the organization to identify, design and build the risk management capabilities needed to close significant gaps and make management’s selected risk responses happen RM Vision and Objectives Specific capabilities managing priority risks selecting the priority risks and determining the current state of risk management capability desired future state is assessed with the objective of advancing the maturity of the capabilities around managing those risks close significant gaps and deliver management’s desired outcomes RM Vision and Objectives ERM infrastructure overall risk management policy enterprise wide risk assessment process integration of risk responses with business plans presence on the board and CEO agenda chartered risk committee clarity of risk management roles and responsibilities dashboard and other risk reporting proprietary tools to portray a portfolio view of risk RM Vision and Objectives How does management define the entity’s risk management goals and objectives? Develop a common understanding of risk across multiple functions and business units to manage risk cost-effectively Achieve a better understanding of risk for competitive advantage Build safeguards against earnings-related surprises Build and improve capabilities to respond effectively to low probability, critical, catastrophic risks Achieve cost savings through better management of internal resources Allocate capital more efficiently RM Vision and Objectives RM Goals and Objectives should be consistent /supportive of the enterprise’s business objectives and strategies targets the markets and geographies in which the firm does business specifies the products and services it provides to those markets, the channels it uses to access those markets and the characteristics by which it differentiates its products and services in the eyes of the customer built on the processes through which the entity converts materials and labor into products and services; employees, training/retention; suppliers/customers; shareholders and lenders RM Vision and Objectives “Tough questions” What are our business objectives and strategies? What are our financial targets, e.g., profitability, size and revenue growth? What values we want to build and reinforce? What markets we choose? What relative market position we seek? What is our business model for winning in our chosen markets? 10 Conducting Risk Assessments Facilitated Risk Workshop PITFALLS Setting unclear or unrealistic objectives Failing to structure the meeting agenda for success Placing too little emphasis on discussion Letting technology glitches distract the process Not getting everyone involved Not creating a “safe” and open environment Failing to clarify roles and responsibilities Poor facilities 56 Conducting Risk Assessments Ground Rules for a Risk Assessment Lack of participant understanding of how to apply assessment criteria consistently Confusion over inherent risk Confusion over time horizon Not acknowledging that the future is inherently unknowable Overlooking external environment events because of a perception that they are outside of management’s control Ignoring the interrelationships among risks 57 Conducting Risk Assessments How we identify, understand and apply interrelationships among risks? a risk drivers map 58 59 Conducting Risk Assessments Critical events related to multiple risk categories Will the occurrence of one event, either individually or in combination with other events, cause another event to happen or, alternatively, affect, impact or contribute to the severity of another event? Through refinement of this cause-effect analysis, management can select the most critical events (the ones shaded in the previous illustration) and focus additional attention on understanding them understanding of potential future events to source why, how and where the entity’s risks originate lays a foundation for developing measurement and monitoring tools addressing risk through a portfolio view 60 Conducting Risk Assessments What is the appropriate level of depth when assessing risk? If risks are assessed at too high a level, it is difficult to identify the precise issue and management will be unable to decide what to after the assessment is completed At the same time, if the assessment is conducted at too granular a level, the “big picture” issues get lost in a sea of details and it will be difficult to complete the risk assessment in a reasonable amount of time 61 Conducting Risk Assessments Who should participate during the risk assessment process? entity level executive management individuals with specific knowledge of unique business risks, issues and operations unit level unit management key process owners 62 Conducting Risk Assessments How is risk assessment related to risk quantification and should risk quantification be used during risk assessment? improved and is more robust when risks are quantified can be monitored against management’s established risk tolerance 63 Conducting Risk Assessments Is there value in using qualitative information when assessing risk? YES qualitative information is often directional at best (i.e., it serves as a pointer to specific areas for further investigation and analysis) and is not effective in driving management decisions related events occur so infrequently and, if and when they occur, they are subject to such a wide range of possible outcomes in terms of severity that it is difficult, if not impossible, to quantify them managers closest to the source of the risk are the individuals best positioned to understand its nature and root causes 64 Getting Started – Set the Foundation 65 Building & Enhancing Capabilities 66 Building a Compelling Business Case 67 Making it Happen 68 Relevance to SOX Compliance 69 Other Questions 70 ... ROLES • • • • • • • The Fundamentals COSO Enterprise Risk Management Role of Executive Management Role of the Director Role of the Chief Risk Officer Risk Management Oversight Structure Role of... gaps and deliver management s desired outcomes RM Vision and Objectives ERM infrastructure overall risk management policy enterprise wide risk assessment process integration of risk responses with... critical risks • phase enhances existing risk management capabilities 22 RM Vision and Objectives 23 24 Conducting Risk Assessments What is the relationship between risk assessment and risk management?