Practical Applications of Enterprise Risk Management

Transcription

1 Practical Applicatins f Enterprise Risk Management MACPA Business and Industry Cnference Jennifer Leary, Natinal Partner Risk Management and Jack Greenberg, CPA, Directr, Business Risk Services April 20, Discussin Objectives 1. Discuss factrs driving interest in implementing Enterprise Risk Management ( ERM ) 2. Prvide Executive Management and Audit Cmmittee a basic understanding f ERM cncepts, techniques and benefits 3. Review appraches fr assessing and priritizing risks: Identifying and describing risks Assessing risk based n key dimensins f impact and vulnerability Applying risk assessment techniques t rutine peratins 4. Discuss ERM implementatin framewrks and radmaps 5. Prvide an verview f the rganizatinal framewrk needed t supprt imprved risk management capability 2 1

2 Part 1 Factrs Driving Organizatins t Implement ERM: Why D Yu D It? 3 Increasing Demand fr Enhanced Gvernance and Risk Oversight 2012 Ddd Frank Act Rules cmpensatin cmmittee independence disclsure f pay fr perfrmance, pay ratis, and hedging by emplyees and directrs recvery f executive cmpensatin reprting ver cnflict minerals essential fr business disclsure f gvernment payments t resurce extractin issuers, cmpanies engaging in cmmercial develpment f il, natural gas, and minerals 2010 SEC Rules t Enhance Crprate Gvernance Disclsures directr and nminee qualificatins and legal prceedings diversity and directr nminatins bard leadership structure and rle in risk versight accelerated disclsure f sharehlder vting results COSO Enterprise Risk Management Framewrk Prvides an rganizatinal scpe, emphasis, and prgram t braden risk management t an enterprise wide emphasis and integrate int crprate strategy Sarbanes Oxley, 2002 Calls fr enterprise wide dcumentatin and testing f cntrls ver financial reprting risk Many rganizatins respnse is t enhance their crprate gvernance prcesses by develping and implementing an Enterprise Risk Management prcess 4 2

3 Bard Respnsibilities are Increasingly Fcused n Risk Oversight The 2012 Ddd Frank Act Rules have increased cmpensatin cntrls and disclsures, and the SEC has increased Bard structure and selectin rules. Bard fiduciary respnsibilities shuld extend beynd the traditinal hard risk areas t include all types f risk t the rganizatin including strategy and reputatin Bard members have a duty f care respnsibility which includes assuring that risks are cnsidered in decisin making and all knwn key risks are effectively managed 5 Questins Prcess Ownership Shuld be Able t Answer Fr each f yur risks: Hw des this risk relate t achieving yur bjectives? What is the rganizatin s appetite fr risk r what is its tlerance fr deviating frm expected results? What is yur state f preparedness? Hw d yu knw? Hw cnfident are yu? What are the risks where yu really need t imprve ur risk management? Which f these risks are mst likely t ccur and why? What is yur verall risk mitigatin plan? Hw will yu mnitr the effectiveness f the plan? Are there ther risks n r ver the hrizn that yu need t start t prepare fr nw? 6 3

4 Mst rganizatins rely n multiple surces fr answers Hwever, risk versight and an integrated apprach is usually lacking Finance Internal Cntrl, Disclsure, Credit, Liquidity, Cmmdity, Risk Analytics & Mdeling Infrmatin Management IT Security, Data Integrity, Infrmatin Adequacy, Business Prcess/Cntinuity Risks Operatins Quality f care, Custmer Relatins, Market and Pricing, Cmpetitive, Peple/Prcess/Asset Perfrmance, Envirnmental and Safety Risks Cmpliance and Ethics Ethics and Business Cnduct, and Regulatry Cmpliance Risks Business Develpment Market and Strategy Risks General Cunsel Legal and Intellectual Prperty Internal Audit Risk infrmed audits, risks t internal cntrl, key expsures and vulnerabilities, and assurance Insurance Security Risks t prperty and peple Prperty, Casualty, Liability, and Hazards ERM prvides a means t better understand, cmmunicate and respnd t the risk knwledge that exists in the rganizatin 7 What D We See Acrss Majr Crpratins? Based n a 2010 GAIN Benchmark Study, the Status f ERM integratin effrts are as fllws: ERM Specific Initiatives Designed and/r Implemented Peridic enterprise risk assessments perfrmed 52% Risks aggregated at the crprate level 49% Enterprise-wide established plicies and risk cmmittees 30% Risk management integrated int business initiatives 30% Enterprise risk dashbard 30% Risk training and knwledge sharing prgrams 26% Enterprise wide risk tlerance levels and risk limits cnsistent 20% Risk tlerances linked t strategic bjectives 12% 8 4

5 Part 2 ERM: Basic Cncepts and Benefits 9 Authritative Surces fr ERM Apprach 1. Cmmittee f Spnsring Organizatins (COSO), cmprised f the fllwing rganizatins: American Institute f Certified Public Accuntants (AICPA) American Accunting Assciatin (AAA) Financial Executives Internatinal (FEI) Institute f Internal Auditrs (IIA) Institute f Management Accuntants (IMA) 2. Cntrl Objectives fr Infrmatin and Related Technlgy (COBIT) COBIT is an IT Gvernance framewrk used t help with regulatry cmpliance and gaining increased value frm IT 3. Infrmatin Technlgy Infrastructure Library (ITIL) The ITIL is a IT best practices framewrk that addresses service delivery and supprt f IT services 10 5

6 What is Enterprise Risk Management? Enterprise risk management deals with risks and pprtunities affecting value creatin r preservatin, defined as fllws: COSO s ERM Framewrk Enterprise risk management is a prcess, effected by an entity s bard f directrs, management and ther persnnel, applied in strategy setting and acrss the enterprise, designed t identify ptential events that may affect the entity, and manage risk t be within its risk appetite, t prvide reasnable assurance regarding the achievement f entity bjectives. COSO 11 What Drives Enterprise Value? ENTERPRISE VALUE STAKEHOLDER VALUE Revenue Grwth Operating Margin Asset Efficiency Expectatins 12 6

7 What are the Key Risk Areas? ENTERPRISE RISKS GOVERNANCE Ethics/Decisin Authrity Oversight/Independence Cmpensatin/Other STRATEGY Strategic Plan/ Acquisitins/Divestitures Successin Planning Brand/Marketing/Pricing Reputatinal OPERATIONS Service Delivery Inventry Management Staffing and Emplyment Quality Standards Cst Management INFRASTRUCTURE Cmpliance Finance & Accunting Tax Infrmatin Technlgy Insurance BCP Safety/Physical Security Legal/IP/Litigatin Envirnmental / Other EXTERNAL FACTORS Cmpetitin/Ecnmic Cnditins Ge plitical/regulatry Activism/Public Safety Natural Disasters/Other 13 What is the ERM Apprach? ENTERPRISE VALUE RISK OVERSIGHT & INSIGHT Bard & Executive Management Alternatives, Decisins, Scenaris & Events ENTERPRISE RISKS GOVERNANCE Ethics/Decisin Authrity Oversight/Independence Cmpensatin/Other STAKEHOLDER VALUE Revenue Grwth Operating Margin Asset Efficiency Expectatins Reprting Risk Avidance Strategy & Executin Risk Taking Peple Prcess Technlgy Cmpliance Risk Avidance Operatins Risk Avidance STAKEHOLDER VALUE Rewarded risk can drive value. Unrewarded risk can destry value. STRATEGY Strategic Plan/Acquisitins/ Divestitures Successin Planning Brand/Marketing /Pricing Reputatinal OPERATIONS Service Delivery Inventry Management Staffing and Emplyment Quality Standards Cst Management INFRASTRUCTURE Cmpliance Finance & Accunting Tax Infrmatin Technlgy Insurance BCP Safety/Physical Security Legal/IP/Litigatin Envirnmental / Other EXTERNAL FACTORS Cmpetitin/Ecnmic Cnditins Ge plitical/regulatry Activism/Public Safety Natural Disasters/Other 14 7

8 Benefits f ERM Align risk appetite and strategy Link grwth, risk, and return Enhance risk respnse decisins Minimize peratinal surprises and lsses Identify and manage crss enterprise risks Prvide integrated respnses t multiple risks Seize pprtunities Supprt cst management effrts Imprve peratinal perfrmance Prvide better basis fr allcating resurces And thereby: Restre and/r retain stakehlder trust and cnfidence Prtect and increase value fr key cnstituents 15 Limitatins f ERM ERM is: A prcess fr prviding reasnable assurance abut the achievability f the enterprise s bjectives Integrated, prtfli view f risks and vulnerabilities and their ptential interactins Systematic and disciplined assessment f risk and reward as part f business prcess A means t imprve rewarded risk taking and an aid t decisin making A way t redeply existing resurces A frward lking view ERM is nt: A silver bullet r abslute assurance A substitute fr management judgment A stand alne initiative r a bureaucratic exercise in cmpliance Risk avidance / risk aversin A call fr additinal resurces A retrspective review 16 8

9 Part 3 Assessing and Priritizing Risk n an Enterprise Wide Basis: Hw yu d it? 17 Majr Types f Risk and Risk Areas (examples) Financial Operatins The risks assciated with the rganizatin s financial viability and the way the rganizatin maintains its financial recrds. Accunting / Cst Reprts /Revenue Cycle Financial Reprting & Disclsure / SOX Gvernance, Independence Treasury & Investments Tax UBI, Payrll Withhlding, Intermediate Sanctins, Returns 990s, and 501C3 Status Financing Bnds, Public Internal Cntrls Internal Audit Cntracting / Purchasing (Materials Management) Grup Purchasing Organizatin Relatinships Cnstructin Cmpliance and Legal Matters Federal and state regulatins Stark IRS Tax Anti Kickback HIPAA Anti Trust Service Delivery The risks assciated with the delivery f services Quality Safeguarding f Practice Regulatry Cmpliance EMTALA, Medical Necessity, HIPAA Privacy, Rbinsn/Patman Research/ IRB Institutin Licensing & Accreditatin COPS, CLIA, JCAHO, Patient Rights, Cnsent Marketing/ Cmmunity Outreach 18 9

10 Majr Types f Risk and Risk Areas(cnt.) Emplyment and Staffing The risks assciated with the rganizatin s delivery and management f its human resurces including emplyed, cntracted and credentialed prviders. Labr Relatins Wage & Hurly Cmpensatin Emplyment Practices Hiring & Firing, EEO, ADA Educatin, Training, Develpment Staffing Retentin, Recruitment, Perfrmance Evaluatins, Levels Pensin & Benefits Insurance Wrker s Cmpensatin Cntract Labr Agency, Nurses Organizatin and Strategic Envirnment The risks assciated with external factrs, strategic directin and issues related t rganizatinal structure and culture. Strategy M&A Advcacy Tax Exempt Limitatins Public Relatins Reputatinal Organizatin & Gvernance Missin Market Frces (Cmpetitin) Disaster Planning Physical Security Cann Law Emerging Technlgies (Innvatins) Systems Integratin 19 Majr Types f IT Risk and IT Risk Areas IT Cmputing Envirnment Risks assciated with the rganizatin s IT systems Hardware Sftware System interfaces Databases System and data criticality (system s imprtance t the rganizatin) System and data sensitivity Data backup and recvery prcess Lgical Access Passwrd Administratin Direct access t data Physical access t data centers/facilities/equipment Lack f segregatin f duties Netwrk Security and Availability System security plicies System security architecture Operatinal Envirnment f IT systems Functinal requirements f IT system Users f the IT system Management f data changes 20 10

11 Framewrk fr Assessing Risk and Organizing Risk Respnse Fcus n vulnerabilities t value lss r creatin nt just likelihd 21 Set Risk Appetite (Threshlds) Assess Impact Key Perfrmance Indicatrs Qualitative Quantitative Outcmes Financial Reputatin Legal Regulatry Stakehlder Expectatins Assess Vulnerability Cntrl effectiveness Cst f risk experience Prevailing failure mdes / cntributing factrs Cmplexity and change Risk management capability (detect, prevent, crrect, escalate) Likelihd Degree f difficulty Cst / ROI Time t implement Set Pririties High Risk Impact n Value Lw Assurance f Preparedness Redeply Resurces MARCI Chart Risk Mapping First Effectiveness Then Efficiency A R Select Risk Respnse Acceptance Avidance Preventin Vulnerability Enhance Risk Mitigatin Cumulative Impact? CI Detectin Crrectin Escalatin M Measure fr Cumulative Impact Illustrative High Risk Priritizatin and Respnse Sessins Evaluating the cst benefit f varius risk respnse ptins can be standardized using a evaluatin template t standardize the analysis f different respnse ptins Example Risk Respnse Evaluatin Matrix: Financial Systems & Internal Reprting Risk Descriptin: the pssibility f revenue lss r nn-cmpliance due t pr alignment f financial systems functinality and internal reprting requirements. Optins Available Csts Benefits Accept Reduce Vulnerability Reduce Impact Transfer Avid Retain current risk by wrking with current architecture >Minimal incremental cash expenses >Cntinued risk f lss >Cntinued r perhaps accelerated bslescence f systems Lwer cash utlays t address prblem Minimal rganizatinal disruptin Implement new system Enhance business that better fits business prcesses and manual requirements recnciliatins $X Licensing fee $X implementatin $X maintenance fee Organizatinal disruptin during transitin $X estimated avided lss Enhanced reprting and better business decisin-making Outsurce financial systems peratin t third party vendr $X implementatin $X implementatin $X annual fee Organizatinal disruptin $X per transactin fee during transitin Lss f rganizatinal Onging inefficiency capability csts Lss f rganizatinal cntrl $X estimated avided lss $X MM annual cst savings Enhanced reprting flexibility and supprt Where practicable Nt practicable Nt practicable Residual Risks? N Yes Yes Yes Nt practicable 22 11

12 Inherent and Residual Risk Inherent risk is the risk t an entity in the absence f any actins management might take t alter either the risk s likelihd r impact. Residual risk is the risk that remains after management s respnse t the risk. Risk assessment is applied first t inherent risks. Once risk respnses have been develped, management then cnsiders residual risk. Effective enterprise risk management requires that risk assessment be dne bth with respect t inherent risk and als fllwing risk respnse. COSO ERM Shrtcmings f the COSO apprach Estimating Likelihd and Impact Uncertainty f ptential events is evaluated frm tw perspectives likelihd and impact. Likelihd represents the pssibility that a given event will ccur, while impact represents its effect... It is imprtant that the analysis be ratinal and careful The time hrizn used t assess risks shuld be cnsistent with the time hrizn f the related strategy and bjectives Fr example, a cmpany perating in Califrnia may cnsider the risk f an earthquake disrupting its business peratins. Withut a specified risk assessment time hrizn, the likelihd f an earthquake exceeding 6.0 n the Richter scale is high, perhaps virtually certain. On the ther hand, the likelihd f such an earthquake ccurring within tw years is substantially lwer. By establishing a time hrizn, the entity gains greater insight int the relative imprtance f the risk and an enhanced ability t cmpare multiple risks. COSO ERM Sept 2004 p

13 Part 4 Implementing ERM 25 A Typical Framewrk fr Implementatin Phase 1 Phase 2 Phase 3 Phase 4 Buy In Understand, Accept, Cmmit t Pilt Assess Assess enterprise risks and risk management capability Recmmend Detailed recmmendatins t reslve capability gaps in effectiveness & efficiency Implement, Operate & Cntinuusly Imprve Implement sustainable IERM capabilities Value Prpsitin Clarify IERM needs & expectatins Executive awareness and cmmitment Agree n scpe, criteria, prcess Establish IERM as a pririty Cmmunicate Pilt test Set risk appetite and key perfrmance metrics Assess vulnerability t selected key risks Qualify befre quantify Assess interactins and risk experience Assess current capabilities Develp risk prfile Identify gaps & set pririties Define authrities, requirements, resurces Design sustainable prcess Identify capabilities fr design Design change management Prf f Cncept Decisin t prceed Deply tls Train persnnel Mnitr & Reprt Integrate int cre management prcesses Change management Cntinuusly imprve 26 13

14 Develping the ERM implementatin radmap Build business cases t supprt implementatin plan fr changes t: Enabling technlgies Organizatin ERM prcesses Prgram management Perfrm prject priritizatin based n business case criteria Develp prperly sequenced implementatin radmap addressing: Timeline Resurces requirements Gvernance structure and respnsibilities High level business cases Critical success factrs Prgram enablers Risk Management Capability Risks t Objectives Envirnment Managed Risk Infrmed Decisin Bard Management Risk Making Oversight Ownership Plicy Optimized risk/ reward & Appetite balance Objectives & Decisin Risk Assessment Risk Respnse Mnitr Making Risk n Scenari/ Risk 3 Event Risk 2 Identificatin Risk 1 Cntrl & Assurance Infrmatin Cmmunicatin ERM Organizatin Structure Rles & Respnsibilities Training Knwledge Management Change Management Prcess Design Peple Technlgy Assessment & Selectin Technlgy Slutin Design Technlgy Slutin Implementatin Supprt Infrastructure Develpment Technlgy Slutin Supprt Technlgy 27 Illustrative ERM Rles & Respnsibilities Party Bard / Audit Cmmittee Respnsibility Establish risk appetite; Review enterprise risks Mnthly r as Needed Quarterly Semi-annually Review all relevant risk Executive Management (select grup r wrking cmmittee) Set plicy, priritize and allcate resurces fr verall crprate risks Review risks and allcate resurces Prvide guidance fr significant new risks Review risks and allcate resurces Review risks and allcate resurces; reprt updates t Bard / Audit Cmmittee ERM Team (PMO, Cuncil, Cmmittee, etc.) Manage prcess, tls and data Crdinate and assist Assist with reprting and review Assist with reprting and review Mnitr prgram effectiveness Divisin A Management Team Identify, assess & mnitr risks relevant t divisin Reprt/escalate significant new risks Reprt all relevant risk Review risks with Executive Management Divisin B Management Team Identify, assess & mnitr risks relevant t divisin Reprt/escalate significant new risks Reprt all relevant risk Review risks with Executive Management Divisin C Management Team Identify, assess & mnitr risks relevant t divisin Reprt/escalate significant new risks Reprt all relevant risk Review risks with Executive Management Crprate Management Team Identify, assess & mnitr risks relevant t crprate functins Reprt/escalate significant new risks Reprt all relevant risk Review risks with Executive Management 28 14

15 Part 4 Develping a Sustainable Risk Management Capability: A Capability Maturity Mdel 29 A Mdel fr Evaluating Risk Management Capability 1. Hw capable is yur cmpany tday t manage its risk prfile? 2. Hw capable des it need t be? 3. Hw can it get t its desired state? Ad hc / chatic; depends primarily n individual herics, capabilities and verbal wisdm Reactin t adverse events by specialists Discrete rles established fr small set f risks Typically finance, insurance, cmpliance Tne set at the tp Plicies, prcedures, risk authrities defined and cmmunicated Business functin Primarily qualitative Reactive Integrated respnse t adverse events Perfrmance linked metrics Rapid escalatin Cultural transfrmatin underway Bttm up Practive Built int decisin making Cnfrmance with enterprise risk management prcesses is incentivized Intelligent risk taking Sustainable Risk management is everyne s jb 1: Tribal & Heric 2: Specialist Sils 3: Tp Dwn 4: Systemic 5: Risk Intelligent Un rewarded Risk Rewarded Risk 30 15

16 A Mdel fr Evaluating Risk Management Capability (cntinued) 31 Categries f Leading ERM Practices Risk Assessment Internal & External Envirnment Estimating Impact & Vulnerability Bard f Directrs Assessment Techniques Integrity, Ethical Values & Cde f Cnduct Analyzing interdependencies Risk Management Philsphy Risk Appetite & Risk Plicy Priritizing Risks fr Respnse Organizatinal Structure Evaluating Pssible Respnses Assignment f Authrity & Respnsibility Risk Respnse Cmmitment t Cmpetence External Envirnment Priritizing, Selecting & Integrating Respnses Assigning Respnsibilities Decisin Making & Objective Setting Strategy & Executin Objectives Cntrl Activities & Assurance Operatins & Infrastructure Objectives Types f Cntrl Activities Cmpliance Objectives Assurance Activities Reprting Objectives Plicy & Prcedures Risk Appetite & Tlerances Risk Infrmed Decisin Making Cntrls Over IS and Other Infrastructure Scenari & Event Identificatin Infrmatin & Cmmunicatin Scenaris & Events Infrmatin & Reprting Distinguishing Risks & Opprtunities Knwledge Management Influencing Factrs Change Management Interdependencies Training & Cntinuing Educatin Event Identificatin & Scenari Techniques Cmmunicatin and Disclsure Mnitring & Escalatin Onging Mnitring/Separate Evaluatins Independence Decisin Authrities, Breaches and Escalatin Reprting Trends, Deficiencies, Exceptins Cntinuus Imprvement Enhancing Risk Management Capability Key Strategies Link enterprise risk t enterprise value Take an integrated apprach that helps the rganizatin efficiently identify and respnd t unacceptable risks in the cntext f its key value imperatives Use a cnsistent enterprise wide apprach t classifying and describing risks including types f risk utcmes (impacts) Establish r leverage cnsistent qualitative and quantitative mdels fr valuing risk impacts Imprve risk management capability by fcusing n peple, prcess and technlgy Rles, respnsibilities and authrities fr managing risk Plicies and guidelines fr defining risk appetite and risk tlerance Prcedures and prcess fr risk identificatin, assessment, priritizatin and respnse Risk centered strategic planning and resurce allcatin Risk analysis tls and specialized skills Risk management training and awareness Risk aggregatin, mnitring and reprting technlgy Establish ERM as a cmpnent f the rganizatin s gvernance structure Bard versight Management wnership Embedded and practiced thrughut the rganizatin 32 16

17 The DNA f the Risk Intelligent Organizatin Senir Management CORPORATE GOVERNANCE / RISK OVERSIGHT & INSIGHT Bard f Directrs / Audit Cmmittee Delegatin f Authrity & Risk Appetite Risk Infrmed Decisin Making Crprate Risk Management Capability Internal Audit Business Unit Leaders Pririty Risk Issues & Mitigatin Plans Risk Aggregatin, Mnitring & Reprting Validatin, Challenge & Assurance Operatinal Units Risk & Cntrl Assessment Perfrmance Indicatrs & Risk Metrics Advisry / Specialized Supprt Plicies, Prcedures, Prcesses & Systems Risk intelligence is embedded in the Risk Infrmed Decisin Making prcess, such as Business Planning and Capital Allcatin, and imprves preparedness fr adverse events 33 Critical Success Factrs Gain Bard / senir executive cmmitment and invlvement Establish management accuntability and respnsibilities Demnstrate tangible results and link t value bjectives Build the prcess int the way the enterprise des business Obtain supprting charter, plicies, and prcedures Prvide a cmpetent cre IERM team and adequate resurces Fcus n the cultural/change management prcess Mnitr and cntinuusly imprve 34 17

18 Questins & Answers Thank Yu fr Yur Time and Participatin 35 18