Best Practices in ENTERPRISE RISK MANAGEMENT. [ Managing Risks Holistically ]

Similar documents
Energize Your Enterprise Risk Management

Understanding Enterprise Risk Management: An Overview

D7 Risk Management Policy

ENTERPRISE RISK MANAGEMENT (ERM) POLICY Republic Glass Holdings Corporation. Purpose. Goals

1st Capacity Building Seminar on Enterprise Risk Management

Risk Management Framework

ก ก Tools and Techniques for Enterprise Risk Management (ERM)

Risk Management Policy and Framework

What Is Enterprise Risk Management?

Risk Management Strategy

ENTERPRISE RISK MANAGEMENT (ERM) The Conceptual Framework

OMB Update Enterprise Risk Management. April, 2018

Practical aspects of determining and applying a risk appetite for SMEs

Approved by: Diocesan Council 17 December 2015

Risk Management Policy Adopted by:

M_o_R (2011) Foundation EN exam prep questions

BERGRIVIER MUNICIPALITY. Risk Management Risk Appetite Framework

Alexander Hamilton Best Practices Summit. USAA Enterprise Risk Management

Delivering Clarity to Credit Unions Through Expertise and Experience

GOV : Enterprise Risk Management Policy

Enterprise Risk Management Program

MEMORANDUM. To: From: Metrolinx Board of Directors Robert Siddall Chief Financial Officer Date: September 14, 2017 ERM Policy and Framework

Executive Board Annual Session Rome, May 2015 POLICY ISSUES ENTERPRISE RISK For approval MANAGEMENT POLICY WFP/EB.A/2015/5-B

Enhanced Cyber Risk Management Standards. Advance Notice of Proposed Rulemaking

Excellence in Risk Management via Enterprise Risk Management. Presentation to: Audit Committee Ashok K. Roy, Ph.D., CIA, CFSA, CBA September 18, 2015

Risk Management. Policy No. 14. Document uncontrolled when printed DOCUMENT CONTROL. SSAA Vic

UNITED NATIONS JOINT STAFF PENSION FUND. Enterprise-wide Risk Management Policy

Jeffrey A. Slotnick CPP, PSP Ron Worman, The Sage Group The ESRM Commission

Applying COSO s Enterprise Risk Management Integrated Framework

An Introductory Presentation for ECU Staff

INTERNAL AUDIT AND OPERATIONAL RISK T A C K L I N G T O D A Y S E M E R G I N G R I S K S T O G E T H E R

Enterprise Risk Management: A Practical Approach

Applying COSO s Enterprise Risk Management Integrated Framework. September 29, 2004

FIRMA Nashville Tennessee April 21, 2015

Journey of a Compliance Officer in ERM Implementation. SCCE Regional Conference September 8, Introduction

Business Auditing - Enterprise Risk Management. October, 2018

CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK MANAGEMENT POLICY

Risk Management. Webinar - July 2017

Procedure: Risk management

Risk Management. Seminar June Compiled by: Raaghieb Najjaar, Yaeesh Yasseen & Rashied Small

7/25/2013. Presented by: Erike Young, MPPA, CSP, ARM. Chapter 2. Root Cause Analysis

The Components of a Sound Emerging Risk Management Framework

TONGA NATIONAL QUALIFICATIONS AND ACCREDITATION BOARD

Guide to an ERM Risk Map and Working in Practice

RISK MANAGEMENT POLICY October 2015

Risk Management at Central Bank of Nepal

Senior Director, Fire Life Safety & Risk Management

Enterprise Risk Management for Water Utilities. Justin Carlton, CMA, MBA Financial Analyst Tualatin Valley Water District

ENTERPRISE RISK MANAGEMENT (ERM) GOVERNANCE POLICY PEDERNALES ELECTRIC COOPERATIVE, INC.

Thirty-Second Board Meeting Risk Management Policy

Section Defining Risk Management. 11. Principles of Risk Management

Perpetual s Risk Management Framework

An Update On Association Policies, Health Checks & Guidelines To A Safer Hockey Association. Lauren Woods Member Engagement & Operations

RISK MANAGEMENT FRAMEWORK

Scouting Ireland Risk Management Framework

USF System Compliance & Ethics Program. Risk Assessment Process. Enterprise-Wide Risk Assessment

Leveraging an organization s current risk management to create a sustainable ERM program. Thursday, January 15, 2015

Kidsafe NSW Risk Management Plan. August 2014

SOLID GROUP INC. ENTERPRISE RISK MANAGEMENT POLICY

Risk Management Strategy January NHS Education for Scotland RISK MANAGEMENT STRATEGY

Procedures for Management of Risk

POLICY. Policy Title: Integrated Risk Management. Director, Strategic and Governance Services Centre

Risk Management Policy and Procedures.

Bournemouth Primary MAT Risk Management Policy

ERM Implementation in Local Government

CORPORATE RISK MANAGEMENT POLICY

Risk Management Procedure

Sections of the ORSA Report

How Internal Audit Can Help Promote Effective ERM

Using Meaningful KRI s for Basel II Operational Risk Management

British Library Risk Management Policy Framework (2017)

SCCE 2012 COMPLIANCE & ETHICS INSTITUTE. Workshop Agenda

1. Define risk. Which are the various types of risk?

Pillar 3 As at 31st March 2011

Enterprise Risk Management: Applications in the Private & Public Sectors

Risk Management at the Deutsche Bundesbank March 2011

INTERNAL AUDIT PLAN OF ACTIVITIES

Enterprise Risk Management Integrated Framework

Implementing A Risk Management Framework

Risk Management Framework

INTEGRATING RISK MANAGEMENT AND BUSINESS CONTINUITY

RISK MANAGEMENT POLICY AND STRATEGY

Risk Management: Principles, Methodologies and Techniques. Peter Getugi Internal Audit Manager ILRI

Risk Management Policy

GRINDROD SOUTH AFRICA//Policy Risk and opportunity governance framework

Insurance Contracts for 831(b) Enterprise Risk Captives Policies and Pooling Agreements

Policy Number: 040 Risk Management August 2018

Identification & Assessment of Risks Authors: Ali Basharat & Zeenoor Sohail Sheikh

Introduction to Risk for Project Controls

Enterprise Risk Management Focusing on the Right Risks

RISK MANAGEMENT FRAMEWORK

Introduction. The Assessment consists of: Evaluation questions that assess best practices. A rating system to rank your board s current practices.

Chapter 7: Risk. Incorporating risk management. What is risk and risk management?

Master Class: Construction Health and Safety: ISO 31000, Risk and Hazard Management - Standards

ERM Benchmark Survey Report

Risk Management Framework. Metallica Minerals Ltd

Business Continuity Management and ERM

Quality Control & Compliance Initiative. This document is publicly available to any staff member on the following network path:

APPENDIX 1. Transport for the North. Risk Management Strategy

ENTERPRISE RISK MANAGEMENT IN HEALTH CARE. April 27, 2017

Transcription:

Best Practices in ENTERPRISE RISK MANAGEMENT [ Managing Risks Holistically ]

INTRODUCTIONS MODERATOR: Bob Lipps, JD, CPA PANELISTS: Ron Wilcox Abel Pomar Karen Gordon, Esq.

THE EVOLUTION OF RISK

Traditional definitions: RISK The possibility that something bad or unpleasant will happen. [ Merriam-Webster ] Minimizing the adverse effects of accidental losses. [ The Institutes ]

Broadened definitions: RISK The effect of uncertainty on objectives. [ ISO 31000 ] Coordinated activities to direct and control an organization with regard to risk. [ ISO 31000 ]

TRADITIONAL RISK MANAGEMENT APPROACH

THE NEW VIEW OF RISK RISK can be a threat or an opportunity. Risk = Any uncertainty that can harm, prevent, delay, or enhance an organization s ability to achieve objectives.

Risk Treatment Strategies RISK Avoid Mitigate Transfer Retain/Accept Exploit

T H E C H A N G I N G F O C U S O F R I S K M A N A G E M E N T T R A N S A C T I O N A L Historic Risk Management Insurance Specific hazards No compliance input Separate safety & emergency management Silo approach Risk Manager = insurance buyer I N T E G R A T E D Advanced Risk Management Alternative risk transfer techniques Proactive prevention & risk reduction Integrated approach to claims, contracts, insurance, etc. Increased education & accountability Collaboration across departments Risk Manager may be the risk owner S T R A T E G I C Enterprise-Wide Risk Management Broad range of risks analyzed Combination of risk mitigation and opportunities ERM alignment with strategy Helps manage growth, allocate capital & resources Risks owned by SME s Greater availability of risk mitigation and analytical tools Risk Manager = risk moderator, partner, leader; not the owner of every risk Risk is bad focus is on transferring risk Risk is an expense focus is on reducing cost-of-risk Risk is uncertainty focus is on optimizing risk to achieve goals

WHAT IS ENTERPRISE RISK MANAGEMENT (ERM)? The Risk and Insurance Management Society defines ERM as: A strategic business discipline that supports the achievement of an organization s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio.

ENTERPRISE RISK MANAGEMENT (ERM) Types of Questions to Ask What would cause us to be unable to achieve our objectives or allow us to operate according to our values? Describe a scenario of what could go wrong and how we would respond today? What controls are currently in place? What should be done better? What risks should we consider over the next 12-18 months? What risks will be important for our sustainability ten years from now? How severe can the risk be and what is the likelihood of it occurring? What are the consequences to your organization if the risk occurs? What are the early warning signs that the risk may occur?

A HOLISTIC APPROACH TO MULTIFACETED RISKS, ERM Arms leaders with consolidated information to improve decision-making. Organizes risk information from across the organization. Involves creating a culture of risk management and risk ownership. Recognizes that one person alone cannot own every risk.

WHAT DOES ERM DO? In a nutshell, ERM is a process that: Identifies Evaluates Mitigates Assigns risk ownership and accountability Monitors risk mitigation strategies Reports to leadership potential and emerging risks to the organization and promotes a culture of risk awareness.

Scan Organizational Environment Enterprise Risk Management Framework and Process Model Top Leadership, Risk Appetite, & Accountability Monitor Risks; Assure Compliance & Continued Alignment with ABS Objectives. Revisit Mitigation Strategy, if needed [with legal & SLT] [Risk management w/ internal audit] Identify Risks & Risk Owners [w/ Business Managers] Align and Embed in Culture Mitigate or Eliminate Risks [w/ Business Managers & Others] Analyze Risks [w/ Business Operations & Risk Management/Legal] SWOT Analysis = Framework = Process = Recurring process Communications & Reporting to Stakeholders & Top Management Audit When Critical Risks Identified Resource Allocation

Governance Corporate Strategy C-Suite Examples of how Organizational Operations Relate to Enterprise Risk Management (ERM) Compliance Legal Finance Internal Audit Strategic Planning Corporate Strategy C-Suite Managers ERM Business Operations Managers Staff Performance Management HR Managers Staff Internal Control C-Suite Internal Audit Legal Risk Management Legal Internal Audit Process Management C-Suite Managers

ROLE OF THE ENTERPRISE RISK MANAGER OR CHIEF RISK OFFICER (CRO) To create a risk aware culture; To ensure ERM activities are aligned with mission objectives; To bring consideration of risk into strategic decision-making; To develop a center of excellence for managing risk, drawing on the expertise of SME s, who, in turn, are similar to risk managers for their unique areas; To facilitate and coordinate holistic risk management; To communicate clearly to stakeholders; and To be advisor and partner to other executives and managers.

WHY IS ENTERPRISE RISK MANAGEMENT IMPORTANT? 1. All organizations exist to achieve their objectives. 2. Many internal and external factors affect those objectives, causing uncertainty about whether the organization will achieve them. 3. The effect this uncertainty has on an organization s goals is risk.

WHY IS ENTERPRISE RISK MANAGEMENT IMPORTANT? 1. All organizations exist to achieve their objectives. 2. Many internal and external factors affect those objectives, 3. The effect this uncertainty has In summary, the holistic management of risk is on an organization s central to the success causing of all organizations. goals is risk. uncertainty about whether the organization will achieve them.

THREE LEVELS OF ERM IMPACT Strategic Operational Decision- Making

ERM IMPLEMENTATION PROCESS Design ERM Framework. Equip ERM Committee. Perform Initial Assessment. Assign Ownership. Develop Treatment Plans. Plan Data and Workflow Management. Set Procedures for Strategy & Decisions. Develop Reporting & Accountability.

ENTERPRISE RISK MANAGEMENT (ERM) Phase I Phase II Phase III Phase IV Advance Preparation Risk Identification / Assessment Process Data Analysis Risk Drill-Down

ENTERPRISE RISK MANAGEMENT (ERM) Phase I Phase II Phase III Phase IV Advance Preparation Risk Identification / Assessment Process Data Analysis Risk Drill-Down Develop initial risk profile with help from a professional Prepare a risk survey questionnaire Compile information from the questionnaire Prepare additional information as required

ENTERPRISE RISK MANAGEMENT (ERM) Phase I Phase II Phase III Phase IV Advance Preparation Risk Identification / Assessment Process Data Analysis Risk Drill-Down Identify key risks Prioritize risks Rate likelihood of severity for top risks Assess current risk management controls for key risks Discuss aggravating and mitigating risk factors Identify risk owners Develop potential action plan

RISK IDENTIFICATION & ASSESSMENT PROCESS Rating Criteria: Severity, Likelihood, and Manifestation Ratings Score Severity Description Likelihood Description Manifestation 1 Minimal significance 1 event per 10 years Greater than 5 years 2 Somewhat significant 1 event per 5 years Between 4 and 5 years 3 Significant 1 event per 2 years Between 3 and 4 years 4 Very significant 1 event per year Between 1 and 3 years 5 Extremely significant Regularly occurring Less than 1 year Your ministry Top Risks and Owners Risk Severity Likelihood Manifestation Total Meet Healthcare Needs 3 5 5 13 Donor Longevity/Commitment 4 4 1 9 Maintain Mission/Vision 5 5 1 11 Having Quality Staff 4 5 3 12 Manage Data Systems 3 2 3 8 Legal Compliance 4 5 4 13 Insufficient Funding 5 2 3 10 Competition with Others 2 5 4 11 Risk Description Current Risk Owner(s) Current Risk Management Activities Future Action Plan New Risk Owner(s) Legal Compliance Meeting Healthcare Needs Having Quality Staff Maintain Mission/Vision Competition GC/CFO VP HR VP HR CEO CEO/COO

ENTERPRISE RISK MANAGEMENT (ERM) Phase I Phase II Phase III Phase IV Advance Preparation Risk Identification / Assessment Process Data Analysis Risk Drill-Down You should prepare a summary of findings/results of activities from Phase II, including: Executive Summary Identified Risks Risk Ratings Proposed Action Plan

ENTERPRISE RISK MANAGEMENT (ERM) Phase I Phase II Phase III Phase IV Advance Preparation Risk Identification / Assessment Process Data Analysis Risk Drill-Down Specific risk areas may need to be further addressed

LOWER OVERALL COST OF RISK Remember to follow the ERM process Identify & Prioritize Risks Proactively manage risks through risk owners/managers Integrate risk management into the overall business plan

ERM INTEGRATED INTO EXISTING BUSINESS PRACTICES ERM becomes incorporated into: The Organization s Culture Strategic Planning Quality Improvement Budgeting Employee Engagement Committee Structure Decision-Making

ERM IMPLEMENTATION IN ACTION

Evangelical Christian Credit Union Abel Pomar President, Chief Executive Officer

RISK PHILOSOPHY We strive to do the right thing as we seek to fully understand and manage risk in the pursuit of value for our members. This is an ongoing process, where everyone in the organization is responsible for understanding and managing risk.

Credit Interest Rate Liquidity Operational Compliance Concentration Market Strategic Reputational TOOLS USED Risk Matrix Enterprise Risk Management Committee KRI/KPI Reporting System Business Area Membership Funding Sources Sub-Business Area Risk Ratings Ministry L L L L L M M H M Small Business L L L M L L M H L Consumer M L L L L L M H M Foreign Small Business Insured Deposits L L L L L L L M L Small Business Uninsured Deposits L L L L L L L L L Consumer Insured Deposits L L L L L L H H L Consumer Uninsured Deposits L L L L L L L L L MBL Participations M L M M L L L M M CU Certificates L L L L L H L L L

OBSERVABLE OUTCOMES Improved Business Monitoring Stronger Business Processes Intentional Focus for Strategic Planning Improved Business Prioritization Minimizes Financial Losses for the Organization Identifying Emerging Risks

Samaritan s Purse Ron Wilcox Chief Operating Officer

KEY ELEMENTS OF THE PROCESS Establishment of leadership groups, ground rules and commitment to process Identification of risks and contributing factors Leadership to agree and rank major risks and assign owners Risk owners develop written goals and plans for addressing risks Review and approval of goals and plans by CEO, reporting to board for oversight Communication and implementation Monitoring and reporting

HISTORY OF RISK MANAGEMENT AT SAMARITAN S PURSE Step 1 Director Group Meetings: This group s task is to take information identifying ministry risks from past RM efforts, updated submissions by the SP VPs, and their own lists of ministry risks; review and discuss it all, and consolidate it into one list of ministry risks. Each member of the group must agree on or support each risk in order for it to remain on the list. The Director Group met multiple times, in person and via e-mail exchanges, during April and May to discuss and clarify the nature of each risk and the factors contributing to the risks; and to compile a final Risk List.The Director Group finalized the Risk List and forwarded to the COO for distribution to the VP Group.

HISTORY OF RISK MANAGEMENT AT SAMARITAN S PURSE Step 2 - Continued Meetings with VP Group VP Group Tasks:1st task go through the list, score and plot each risk on a scale. The parameters for each risk are Likelihood of Occurrence and Severity of Impact. 2nd task assign individual risks to owners. The owner of each risk should be the Operational Department that has the greatest ability to manage the risk in question. Some risk owners acknowledge collaborative efforts with other departments, but for accountability purposes, each risk needs one designated owner.3rd task each risk owner develops a Summary Risk Management Plan for each risk it owns. These plans answer the question of how do you go about addressing this risk if you are its owner. Each owner turned in their plans.

HISTORY OF RISK MANAGEMENT AT SAMARITAN S PURSE Step 3: RM list and plans are presented to senior leadership. Appropriate revisions are made and decision is finalized to move forward with full support. Step 4: Quarterly meetings are calendared with all staff who were involved in the process. At the meetings, risk owners present their plans and give updates on their process to the group. Accountability remains with the group, with oversight by the COO.

Severity of Impact RISK MAPPING Risk Map 5 Extreme5 4.9 4.8 #4 Reputation -2.6,4.8 4.7 #8 Mission Focus -2.2,4.8 4.6 4.5 #1 Cybersecurity-4.2,4.6 4.4 #5 Workplace Safety -2.8,4.4 4.3 #7 Major Crisis2.6,4.4 4.2 4.14 Very High 4 3.9 3.8 #12 Insurance,2.6,3.8 #11 Vendor Instability 2.8,3.8 3.7 3.6 3.5 #2 Hiring Difficulty-4.4,3.6 3.4 #10 Theft and Fraud -3.2,3.4 3.3 3.2 3.13 #9 Volunteer Issues -3.4,3.2 #6 Communication-3.8,3.2 #3 Bureaucracy-4.6,3.2 Moderate 3 2.9 2.8 #13 Training -2.6.2.8 2.7 2.6 2.5 2.4 2.3 2.2 2.12 Low2 1.9 1.8 1.7 1.6 1.5 1.4 1.3 1.2 1.11 Negligible 1 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0 0 0 1 2 2 3 3 4 4 5 5 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 Rare Unlikely Moderate Almost Certain Likely Likelihood of Occurrence

CREATION OF RISK MANAGEMENT SYNOPSIS Risk Management Synopsis Ranking Risk Title Assigned Owner 1 Cyber-Security threats Information Technology 2 Hiring or placing qualified candidates in necessary positions Human Resources 3 4 Avoidance of procedures or "work - around" actions by staff to get their work done Damage to the ministry s reputation significantly erodes donor support. COO/ Legal Quality Control/ Donor Ministries 5 Workplace safety and security threats, including physical threats to employees and facilities, domestic and international. Security

OVERVIEW OF OUR ERM APPROACH We recommend an approach that focuses on a culture of risk management within the organization: Both a top down and bottom up enculturated in all team members. Oversight by the board. Monitoring and accountability owned by the CEO. Ownership at the VP level. Training and development of a process that includes intentional identification, consideration and documentation of all risks and priorities that can be insured, mitigated, accepted, or eliminated. Quarterly review and update by risk owners. Quarterly coordination between risk owners and COO. Periodic review and advice by subject matter experts.

American Bible Society Karen Gordon, Esq. Director of Enterprise Risk Management & Compliance

ERM IMPLEMENTATION AT ABS Nascent Stage C-suite Support Critical Obtaining C-suite buy-in Combination of Business Continuity Planning & ERM Capitalizing on similarities Volunteer test group Track investment of time and people Process overview and outcomes to C-suite

BUSINESS CONTINUITY

BCP & ERM COMMONALITIES Critical Typically led by Risk Management Highly recommended Must be done Legal involvement Risk assessment Vital to sustainability BCP Ensures Mission Continuance Far reaching consequences if not done right Centrally managed but individual risk owners Business impact analysis Should be done Promotes strategic alignment with mission ERM

TIMELINE Enterprise Risk Management Disaster Recovery Business Continuity Pre-incident Immediate Incident Response Post Disaster Recovery (Hours) Post Disaster Operations and Restoration (days to weeks) Resumption of Business (on-site and/org alternate site) Disaster Strikes

SAMPLE RISK INVENTORY LOG Risk Category Sub-Category Risk Element Risk Tolerance Likelihood (L) INHERENT RISK Impact (I) Severity (LxI) Risk Response Risk Response Tactics Value of Response Tactics Residual Risk Further Action Required & Plan Risk Ownership Status Operational Technology System outages 5 5 25Mitigate System monitoring; service level agreements; back-up & recovery procedures; system testing; database mirroring; firewalls. Uninterruptable power supply. Moderate. (7) 18Institute rigorous testing of recovery procedures CTO Monitor Operational Personnel Attracting & retaining qualified staff 4 5 20Mitigate Performance evaluations; HR development & training; hiring criteria; compensation plans. High (8) 12SLT approval of risk SVP, HR Monitor

CASE STUDY THE PROCESS Tables identified by name of department: Human Resources Legal Risk Management IT Internal Audit Finance Attendees collaborate in identifying and addressing issues.

CASE STUDY THE PLAYERS

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback