Enterprise Risk Management (ERM) ‘Integrated Framework’ FUNDAMENTALS & ROLES Roles & Oversight Structure FUNDAMENTALS & ROLES • • • • • • • The Fundamentals COSO Enterprise Risk Management Role of Executive Management Role of the Director Role of the Chief Risk Officer Risk Management Oversight Structure Role of Internal Audit IMPLEMENTATION • • • • • • • • Risk Management Vision and Objectives Conducting Risk Assessments Getting Started – Set the Foundation Building & Enhancing Capabilities Building a Compelling Business Case Making it Happen Relevance to Sarbanes-Oxley Compliance Other Questions Role of Executive Management Who should participate in the ERM process, and how? best when all key managers of the organization contribute (CRO, CFO, Legal & Audit) “support the entity’s risk management philosophy, promote compliance with its risk appetite and manage risks within their spheres of responsibility consistent with risk tolerances.” Role of Executive Management Must the CEO be fully engaged in the ERM process or system for it to be successful, or can he or she delegate it to someone else? “CEO is ultimately responsible and should assume ownership” are there any unknown exposures to events that can abruptly shift the organization’s agenda to “damage control” in a heartbeat should they occur? what can be done cost-effectively to prevent the potential future events from happening and how will the organization respond should the events occur? Role of Executive Management How will senior management benefit from supporting ERM implementation? in 10 senior executives lack high confidence that their organization’s capabilities are identifying and managing all potentially significant business risks Enterprise wide approach to business risk management will help executives meet the challenges they face by improving the linkage of risk and opportunity during the strategy-setting process and positioning risk management as a differentiating skill in managing the business Role of Executive Management How should executive management evaluate ERM? four categories of objectives the extent of application (across the entity and its divisions and business units) eight components of ERM, as defined by the COSO framework, provide the basis for that evaluation Role of Executive Management What is the role of the CIO in an ERM environment? overall governance issues relating to the IT operations processes impacting IT various application and data owners need to eliminate gaps and overlaps in the ownership of IT-related risks Role of Executive Management What is the role of the treasury and insurance in an ERM environment? physical and financial assets on the balance sheet prospects for expected future cash flows from core business activities various contractual obligations of the enterprise, among other things Role of Executive Management Enterprise wide view those closest to the risks must be directly engaged in the management of the risks assume primary responsibility to decide, design and monitor or secondary responsibility to build and execute (according to the design) treasuries and insurable risk management functions are taking a broader, more strategic view of the business, leading their organizations to a more formal and systematic approach to managing operational and other business risks 10 Risk Management Oversight Structure Business Units (BUs) are the line operations of the enterprise Align their risk priorities, tolerances and strategies with enterprise wide policies and guidelines Target business & product development activities to create new sources of value in line with enterprise’s overall risk appetite Identify, source and measure risk Benchmark processes and share best practices with the objective of continuously improving measures and processes Assign risk management responsibilities and accountabilities to key managers Report on the overall quality of risk responses, control activities and information and communication, as applied to specific risks 56 Risk Management Oversight Structure Risk Units manage (transversal) specific risks not managed by the BUs risk management related to one or more risks a core competence of the organization e.g interest rate risk, currency risk, commodity price risk, credit risk, weather risk and catastrophic risk evaluate, pool, reduce, transfer and exploit the risks capabilities needed to manage risks that business units not or cannot manage because they lack the competencies to so 57 Risk Management Oversight Structure Support Units Finance, HR, IS, Legal and facilities work closely with business units and risk units to manage risks that are germane to their specialized skill sets participate on the RMEC to coordinate certain activities germane to risk management so that they can be more effectively integrated 58 Risk Management Oversight Structure Assurance Units ERM compliance, internal audit and value at risk perform audits and periodic or continuous reviews to provide assurances to the RMEC and the board that: critical processes are performing effectively key measures and reports are reliable established policies are in compliance Internal audit is undergoing a transition because the traditional compliance-driven audit approach of the past is not dynamic or forward-looking enough to function effectively in an ERM environment 59 Risk Management Oversight Structure Some Diagnostic Questions to Consider What is the role of the board and the CEO? Effective risk management starts at the top Is there a need for a RMEC? Does the executive committee have time to focus on the issues, or is it necessary to designate a separate committee? If there is a RMEC, who is on it? What are its role and responsibilities? How does the committee interface with the strategy-setting process? Does the organization designate a single officer (group) to assume certain overall responsibilities for risk management, e.g., a “CRO” or equivalent executive? Independent? 60 Risk Management Oversight Structure If there is a single risk officer OR a risk committee: report to, responsibilities, nature of the risks integrated under job description/charter? RMEC composition? roles/responsibilities? consultative (assess and recommend) or authoritarian? ERM compliance, internal audit and value at risk included or separate? Risk Units to house, develop and maintain the competencies needed to assess and manage unique risks? Roles/responsibilities of business & support units? Roles/responsibilities managing the priority risks? Centralized? 61 Risk Management Oversight Structure Does implementation of ERM require the identification of individual risk owners? YES responsibilities, authorities and accountabilities are defined and articulated clearly so that an individual, a group or a designated unit is accountable for managing each risk Identify root causes, decide on the risk responses and design the capabilities for managing the risks in accordance with the selected risk response consider the needed policies, specific process and control activities, necessary skills, management reports, supporting methodologies and systems and data (monitor performance) 62 Role of Internal Audit What roles does internal audit play in ERM implementation? Educator - deploy the framework into audit Facilitator - risk assessments/responses Coordinator - ensure consistent deployment Integrator - collect, analyze, synthesize & report Evaluator - use eight components to evaluate risk management 63 Role of Internal Audit Core roles for internal audit Giving assurance on the risk management processes Giving assurance that risks are correctly evaluated Evaluating risk management processes Evaluating the reporting of key risks Reviewing the management of key risks 64 Role of Internal Audit Roles that are not appropriate for internal audit Setting the risk appetite Authorizing and dictating the implementation of risk management processes Assuming the role of management in providing assurance on risks and risk management performance Making decisions on risk responses Implementing risk responses on management’s behalf Accepting accountability for risk management 65 Role of Internal Audit “legitimate internal audit roles” Facilitating identification and evaluation of risks Coaching management in responding to risks Coordinating ERM activities Consolidating reporting on risks Maintaining and developing the ERM framework Championing establishment of ERM Developing a risk management strategy for BOD 66 67 Role of Internal Audit Should internal audit lead the ERM effort? NO Should internal audit integrate the COSO ERM framework into its work? Recommended Hasn’t internal audit evaluated the application of ERM within the organization? Not necessarily 68 Role of Internal Audit Does the Institute of Internal Auditors (IIA) support the COSO Enterprise Risk Management – Integrated Framework? Yes Do The IIA standards require the use of the COSO Enterprise Risk Management – Integrated Framework? Not required – Issued guidance 69 IMPLEMENTATION • • • • • • • • Vision and Objectives Conducting Risk Assessments Getting Started – Set the Foundation Building & Enhancing Capabilities Building a Compelling Business Case Making it Happen Relevance to Sarbanes-Oxley Compliance Other Questions 70 ... ROLES • • • • • • • The Fundamentals COSO Enterprise Risk Management Role of Executive Management Role of the Director Role of the Chief Risk Officer Risk Management Oversight Structure Role of... obligations of the enterprise, among other things Role of Executive Management Enterprise wide view those closest to the risks must be directly engaged in the management of the risks assume primary... reporting risks must discuss management s policies with respect to risk assessment and risk management ERM process provides fresh insight as to new and emerging risks for timely action and possible