Enterprise Risk Management (ERM) ‘Integrated Framework’ IMPLEMENTATION Building Capabilities Taking A Process View FUNDAMENTALS & ROLES • • • • • • • The Fundamentals COSO Enterprise Risk Management Role of Executive Management Role of the Director Role of the Chief Risk Officer Risk Management Oversight Structure Role of Internal Audit IMPLEMENTATION • • • • • • • • Risk Management Vision and Objectives Conducting Risk Assessments Getting Started – Set the Foundation Building & Enhancing Capabilities Building a Compelling Business Case Making it Happen Relevance to Sarbanes-Oxley Compliance Other Questions Building Capabilities Taking A Process View What steps does management take to build risk management capabilities? step one - assess risk and develop responses step two - design and implement capabilities step three - continuously improve capabilities Building Capabilities Taking A Process View Building Capabilities Taking A Process View How does management decide on the appropriate risk management capabilities? judgment, culture and operating style How does management improve the organization’s risk assessments? directing the necessary resources to support the process 10 59 60 61 Building Capabilities Taking A Process View Is specialized ERM software preferable to broader platforms for compliance, governance and risk management? Yes software solutions that integrate compliance, risk management, and internal audit efforts are likely to be the most successful over time 62 Building Capabilities Taking A Process View How does software functionality support the goals of ERM? ERM goals are improving strategic decision-making by evaluating activities that are creating or destroying enterprise value solution functionality provides risk definition, risk management capabilities gap analysis, control activities documentation, entity-level monitoring, workflow scheduling and notification, risk and audit issue tracking, VaR modeling, risk response and management reporting 63 Building Capabilities Taking A Process View What are the primary categories of software vendors? risk management experts process control experts risk software specialists consulting firms Characteristics? In-depth risk management knowledge Ability to educate prospects/customers & execute/support Professional services/Global presence Dedication to market space 64 Building Capabilities Taking A Process View Is it better to design an ERM process first and then select the appropriate ERM software, or vice versa? decide the process before choosing the software 65 Building Capabilities Taking A Process View What is dashboard or scorecard reporting and how is it used in an ERM environment? A common language for organizing risk management information A timely feedback mechanism A data repository Status reporting on initiatives 66 Building Capabilities Taking A Process View 67 68 Building Capabilities Taking A Process View Illustrative examples Executive and unit management can use the dashboard to (a) facilitate and improve risk communication, oversight, compliance and monitoring and (b) align risk management with the achievement of business objectives, related strategies and key performance metrics Risk and process owners throughout the organization can input data about risks, risk responses and internal controls and gain insights about risk management performance and best practices 69 Building Capabilities Taking A Process View Illustrative examples central Business Risk Management Function, an assurance unit or risk unit Roll up information using common data elements Use data analytics and decision support tools to mine and analyze data to identify trends warranting attention Summarize relevant information on an enterprise wide, a business unit, a geographic and a product basis Develop int./ext benchmarking, knowledge sharing, early warning techniques, scenario assessment, risk aggregation Demonstrate complying with the COSO ERM Capture improvement opportunities/facilitate identification of best practices 70 Building Capabilities Taking A Process View Is economic capital measurement a prerequisite for adoption of ERM for Financial Services? NO “Economic capital” is defined as the amount of capital that is sufficient to adequately protect shareholders against default from all but extreme loss events The calculation is based on an analysis of all risks to which the firm is exposed 71 Building Capabilities Taking A Process View How is continuous improvement applied to risk management? A continuous improvement process An enterprise risk assessment process and gap analysis Benchmarking Four-way communications and knowledge sharing Employee learning Monitoring of implementation of improvements 72 Building Capabilities Taking A Process View What are the synergies and differences between ERM and “quality initiatives” (e.g., Six Sigma, Lean, TQM, etc.)? ERM is an enterprise-level process that is integral to strategysetting Quality initiatives, on the other hand, provide the methodology and tools to help organizations understand, measure and continuously improve the efficiency and quality of their processes at a detailed level An enterprise risk assessment should focus on strategic issues, with the emphasis on processes driven by the gap analysis around the priority risks 73 ... ROLES • • • • • • • The Fundamentals COSO Enterprise Risk Management Role of Executive Management Role of the Director Role of the Chief Risk Officer Risk Management Oversight Structure Role of... Process View How does management decide on the appropriate risk management capabilities? judgment, culture and operating style How does management improve the organization’s risk assessments? directing... constraints Risk and reward trade-offs Risk management capabilities Time horizon Financing Residual risk (never completely eliminated) Inadvertent risk taking (response) Risk manageability 23 Building