Achieving integrated risk management

Similar documents
INTEGRATED RISK MANAGEMENT GUIDELINE

2018 THE STATE OF RISK OVERSIGHT

The risk management function of the future

Achieving convergence of finance, risk and actuarial functions: beyond transformation

Energize Your Enterprise Risk Management

1st Capacity Building Seminar on Enterprise Risk Management

ERM and the new world of insurance regulation. Where insurers should focus now to find business value

Best Practices in ENTERPRISE RISK MANAGEMENT. [ Managing Risks Holistically ]

Client Risk Solutions Going beyond insurance. Overview

INTERNAL AUDIT AND OPERATIONAL RISK T A C K L I N G T O D A Y S E M E R G I N G R I S K S T O G E T H E R

Risk Management in Italy: State of the art and perspectives. PMI Rome Italy Chapter

Smarter, Faster Product Innovation. Strategic Imperatives for Property & Casualty Insurers

Applying COSO s Enterprise Risk Management Integrated Framework. September 29, 2004

Jeffrey A. Slotnick CPP, PSP Ron Worman, The Sage Group The ESRM Commission

Understanding Enterprise Risk Management: An Overview

Enterprise Risk Management Balancing Risks & Identifying Opportunities WEBINAR

Presentation by: Nasumba Kizito Kwatukha CPA,CIA, CISA,CFE,CISSP,CRMA,CISM,IIK 6 th JULY 2017

Applying COSO s Enterprise Risk Management Integrated Framework

Tax Department Trends. Tuesday, November 28, 2017 Wichita Country Club Doug Watson - Director Evan Malcom - Manager

MEMORANDUM. To: From: Metrolinx Board of Directors Robert Siddall Chief Financial Officer Date: September 14, 2017 ERM Policy and Framework

CASUALTY ACTUARIAL SOCIETY STRATEGIC PLAN

THE ROLE OF THE BOARD IN RISK MANAGEMENT

Fintechs and regulatory compliance The risk management imperative. May 2018

Transaction Advisory Services. Managing capital and transactions for your private business

An evolving hedge fund industry looks for new investors in a changing landscape. Hedge fund

Enhanced Cyber Risk Management Standards. Advance Notice of Proposed Rulemaking

Delivering Clarity to Credit Unions Through Expertise and Experience

7 STEPS TO BUILD A GRC FRAMEWORK FOR BUSINESS RISK MANAGEMENT BUSINESS-DRIVEN SECURITY SOLUTIONS

Alternative Investments Advisory Services. kpmg.com

Accenture Business Journal for India Digital Insurance: How new technologies are changing the rules of the game for a traditional industry

Risk Management Policy

Why your board should take a fresh look at risk oversight: a practical guide for getting started

American Academy of Actuaries Webinar: The Practice of ERM in the Insurance Industry. Enterprise Risk Management Committee November 19, 2013

EY Center for Board Matters Board Matters Quarterly. January 2017

OBAA OBJECTIVES-BASED ASSET ALLOCATION TRULY EFFECTIVE ASSET ALLOCATION FOR INSURANCE COMPANIES DOES YOUR PORTFOLIO SUPPORT YOUR BUSINESS OBJECTIVES?

ENTERPRISE RISK MANAGEMENT (ERM) GOVERNANCE POLICY PEDERNALES ELECTRIC COOPERATIVE, INC.

2014 EY US life insuranceannuity

Financial Stability Oversight Council Reform Agenda

IT TAKES THREE TO TANGO

Three Lines of Defense: Working Together to Enhance Business Performance

Intellectual Property Risk Landscape. November 2018

BERGRIVIER MUNICIPALITY. Risk Management Risk Appetite Framework

How Internal Audit Can Help Promote Effective ERM

Morningstar Investment Services Managed Portfolios

Advancing Customer-Driven Solutions for Ontario

UNDERSTAND & PREDICT CONSUMER BEHAVIOUR WITH TRENDED DATA SOLUTIONS

T A B L E of C O N T E N T S

D7 Risk Management Policy

RISK APPETITE OVERVIEW

Robots join the team. Automation, transformation and the future of actuarial work for insurers

ERM/ORSA Training Thai General Insurance Association (TGIA)

Risk Management at Central Bank of Nepal

What does the WEF Global Risks Report have to do with my Risk Management program? GRM016 Speakers:

2011 Financial Services Industry Perspective

ERM Benchmark Survey Report A report on PACICC's third ERM benchmarking survey

Get Smarter. Data Analytics in the Canadian Life Insurance Industry. Introduction. Highlights. Financial Services & Insurance White Paper

Cambridgeshire County Council. Benchmarking report 24/01/2018

Complexity is a challenge in the insurance industry. Products,

Running Your Business for Growth

M_o_R (2011) Foundation EN exam prep questions

The future of operational risk in financial services A new approach to operational risk capital management

ORSA requirements: Model risk management for insurance companies

Audit committee outlook for manufacturing

Business Continuity Management and ERM

Cover title 26/29 Risk appetite gains momentum 45 light white in a changing world

The Proactive Quality Guide to. Embracing Risk

The Evolving Allocative Efficiency of Education Aid: A Reflection on Changes in Aid Priorities to enhance Aid Effectiveness. By Birger Fredriksen

Rolling Up Operational Risk

Driving Better Outcomes with the TIAA Plan Outcome Assessment

Increasing Shareholder Value Through Transaction Preparation

ASIC explained: Who is the corporate watchdog, what does it do and why should Australians care?

The OCEG Open Risk Classification using XBRL

ก ก Tools and Techniques for Enterprise Risk Management (ERM)

Financing for Energy & Sustainability

Sizing the Standalone Commercial Cyber Insurance Market

About Chubb. Chubb Limited, the parent company of Chubb, is listed on the New York Stock Exchange (NYSE: CB) and is a component of the S&P 500 index.

Opportunities and challenges facing the US REIT industry

Accenture 2014 High Performance Finance Study. Insurance Report GROWTH INTEGRATION

Procedures for Management of Risk

Client Risk Solutions Going beyond insurance. Risk solutions for Financial Institutions. Start

PRIVATE CAPITAL ADVISORY SERVICES EXPERTS WITH IMPACT TM

Borders vs. Barriers Navigating uncertainty in the US business environment. Executive summary

COMMENTARY NUMBER 462 June Trade Balance, Consumer Credit. August 9, Bernanke Bemoans GDP Not Reflecting Common Experience

OPPORTUNITY FUND FEE STRUCTURES. November 2005 IN A CHANGING MARKET

The Innovation Opportunity in Commercial Real Estate:

Aon Risk Maturity Index

The Importance of Insurance to Economic Growth and Security: An open invitation to dialogue

CAPITAL MANAGEMENT GUIDELINE

Master Class: Construction Health and Safety: ISO 31000, Risk and Hazard Management - Standards

Unlocking the potential of Finance for insurers

Enterprise-Wide Risk Management

OWN RISK AND SOLVENCY ASSESSMENT. ERM Seminar Compliance All Dealing from the same deck now

Pillar 2 for Insurer s:

Peppercomm Hedge fund managers embrace innovation amid industry challenges and increased competition

Fraud Investigation & Dispute Services Corporate misconduct individual consequences

Trial by fire* Protected. But under pressure to perform

Embarking on the IPO Journey. kpmg.com

Construction projects: manage risk to achieve success

Risky Business: Are You Ready for the Next Market Move? Incur less pain, more gain with a managedrisk approach to energy sector hedging

Chapter 2. Tax Control Framework. 6/15/13 Chapter 2 Tax Control Framework. 1. From risk management to opportunity management. 2. Tax control framework

Transcription:

Achieving integrated risk management

Performance-driven risk management is a key characteristic of some of the world s most successful companies. 1 Integrated risk management is an essential step in achieving performance-driven risk management. In general, the more integrated an organization s approach to risk management, the more tightly it will align risk management to strategic goals and high performance. In addition, integrating risk management enables an organization to: Reduce its exposure to unidentified, unmeasured or unmanaged risks Integrated risk management is still misunderstood. Some organizations see it as combined compliance and risk management functions. Others approach it as connecting riskrelated systems and tools or as placing all risk-related activities under one executive. But those definitions are too narrow and fail to make a positive case for integrated risk management. That positive case stems from the many opportunities to drive higher performance that risks present when they re properly managed. So, what is integrated risk management, really? How can you gauge your organization s level of integration? And how can you move your program to the next level? Allocate more resources to critical risks and fewer to less important ones Minimize inefficiencies generated by siloed, overlapping or incomplete solutions Control the cost of governance, risk management and compliance (GRC) Address emerging and evolving risks and regulatory mandates more effectively Achieve competitive advantage and generate greater value Of course, managing compliance efficiently, preventing losses and maintaining appropriate insurance remain key risk management activities. Yet risks and gains to be realized by navigating risks have risen to a point where more integrated approaches are necessary. Few organizations have gotten there. Grant Thornton s 2017 CFO Survey found that only 14 percent of respondents completely agree that their risk management program is integrated across business functions. 2 Nearly a decade after the global financial crisis exposed the interrelatedness of risks, risk management often remains fragmented. 1 Performance-driven risk management: An integrated approach, Grant Thornton, 2017 <https://www.grantthornton.com/~/media/content-page-files/advisory/pdfs/2017/ Performance-driven-risk-management.ashx> 2 Grant Thornton s 2017 CFO Survey, https://www.grantthornton.com/library/survey-reports/cfo-survey/2017/changing-game-plan-for-tomorrow.aspx 2 Achieving integrated risk management

Identifying the pieces In practice, truly integrated risk management will: Align risk management with the business strategy. Integrated risk management begins at the highest levels aligning risk management with the organization s value proposition and business strategy. Grant Thornton research 3 shows that executives rate strategic risks more important among general risks, yet rate their monitoring and mitigation of them the lowest. Identify and assess all risks. An intense focus on narrowly defined risks can obscure management s view of the full range of risks to assets and processes. An integrated approach identifies, assesses and addresses all risks to the organization, particularly risks that could undermine performance. Recognize the interrelatedness of risks. As the financial crisis and several highly public incidents since then have shown, a single risk event can trigger or amplify other risks. An integrated approach recognizes dynamic relations among risks and potential knock-on effects of risk events. Enhance cyber risk management. Technology is integral to every business activity. This creates exposures not only from cyber crime, but also from external innovations, bad bets on technology and failure to adopt. An integrated approach coordinates management of all cyber risks across the organization. Apply advanced analytics. Organizations generate massive internal data and can access unlimited external data. Yet most fail to capture, analyze and act upon all relevant data. An integrated approach proactively uses data to increase visibility into risks and enhance risk management. Optimize resource allocations. Companies tend to overinvest in some risk-related areas and underinvest in others, particularly when they lack data-driven approaches to risk. An integrated approach optimizes allocation of risk management resources. The above steps support business strategies, enhance efficiency, reduce risks and accelerate responses to risk events. When implemented together, these activities drive higher performance. This is not integrating risk management for its own sake but to protect and generate value and boost performance. 4 Relatively few companies rate themselves highly on integrated risk management: Grant Thornton s 2016 GRC survey 5 found that only 7 percent of respondents rated their Governance, risk management, and compliance as value-adding and integrated while 22 percent rated theirs as integrated with some value adding activities. That 7 percent is the cutting edge, with the 22 percent close behind. However, that leaves some 70 percent racing to catch up. Establish risk-related infrastructure. Integration means going beyond risk-specific solutions (which have their place) to strengthen risk management and governance structures. This calls for clear roles and accountabilities for risk and wellunderstood risk appetite, tolerances and responses. 3 Balancing risk with opportunity in challenging times: Governance, Risk and Compliance Survey 2016, Grant Thornton <https://www.grantthornton.com/~/media/content-pagefiles/advisory/pdfs/2016/bas-grc-report.ashx> 4 Performance-driven risk management: An integrated approach, Grant Thornton, 2017 <https://www.grantthornton.com/~/media/content-page-files/advisory/pdfs/2017/ Performance-driven-risk-management.ashx> 5 Balancing risk with opportunity in challenging times: Governance, Risk and Compliance Survey 2016, Grant Thornton <https://www.grantthornton.com/~/media/content-pagefiles/advisory/pdfs/2016/bas-grc-report.ashx> Achieving integrated risk management 3

Linking integrated risk management and performance (sample characteristics of linkage) Little linkage Some linkage Tight linkage Align risk management (RM) business strategy Fragmented, compliancebased RM not aligned with strategy Identifies & manages risks to the business strategy Aligns RM with strategy & identifies opportunities as well as threats Identify & assess all risks to the organization Rudimentary or informal annual risk assessment Formally identifies & assesses all risks periodically Formally identifies & assesses all risks continually Recognize the interrelatedness of risks Generally does not treat risks as interrelated Develops plans that address some effects of interrelated risks Monitors risks & deploys responses to address interrelatedness of all risks Enhance cyber risk management Outdated wall & fortress approach and patching & incident response Integrated cyber, technology, digital, operational, and financial RM Proactive, value-driven, integrated digital and operations risk management Establish risk-related infrastructure Some formal risk-related roles & responsibilities Defined RM function, roles, responsibilities, risk appetite/tolerances Dedicated RM function & applies three lines of defense model 6 Apply advanced analytics to risk management Little or some use of analytics in RM Uses analytical tools to analyze & report on full range of risks Uses advanced analytical & visualization tools to monitor real-time risks Optimize resource allocations Some risk-based planning/budgeting Risk-based allocation of RM and assurance resources Extensive risk-based allocation of all resources Linking risk management to performance To further clarify the relationship between integrated risk management and higher performance, we illustrate for each of the above-identified activities three levels of linkage between integrated risk management and performance, with each level of linkage characterized in summary. These sample characteristics are offered as illustrations of ways to consider current capabilities and their levels of integration and linkage to performance. Other activities and characteristics of linkage may apply to your organization depending on its business, industry, size and other factors. 6 The three lines of defense is a widely recognized organizational risk management model in which business units are the first line; quality control, compliance and the risk management function are the second line; and internal audit is the third line. Each plays a specific role the first line owns and manages risk, the second line provides monitoring of the first line and internal audit provides assurance to management and the board and advisory services to the other two lines. 4 Achieving integrated risk management

Here are a few ideas on how to use this illustration: Discuss these characteristics with leaders in operations, finance, treasury, compliance, legal, risk management, IT and internal audit and key committees and board members to develop consensus views around current practices. Recognize that a company need not achieve tight linkage or high integration in every area of risk management and should prioritize needs and actions. Every organization faces unique risks arising from its business model, strategy and competitors and should prioritize accordingly. Avoid equating high levels of spending or activity with high levels of maturity. For example, spending on ERM systems will not necessarily facilitate integrated risk management. This illustration aims to prompt thinking about ways to link risk management with performance. Note too that while an organization can pursue integrated risk management mainly to reduce costs, the more motivating and sustainable goal would be to pursue higher performance. Key ways to accelerate integrated risk management Consider these elements when looking for ways to promote or accelerate integration of risk management: 1 2 3 Develop a common company-wide risk language and taxonomy that defines and documents all risk types, enables a clear risk framework, and facilitates training of critical employees Ensure that all areas, including the businesses, compliance, risk management, legal, and internal audit employ the same risk governance and risk management framework Apply a common company-wide risk assessment methodology (incorporating likelihood and potential impact) for all risks 4 5 Enhance management and board reporting of risks by focusing on key risks and emerging trends by applying a consistent framework Bear in mind that the business owns the risks they are responsible for managing These steps generally enable an organization to focus more attention and resources on critical risks and less on noncritical risks while improving business decisions by making them more risk-based. Achieving integrated risk management 5

Putting it together Risks are becoming even more pervasive, multifaceted and dynamic. This partly explains why risk management has become so fragmented. In trying to address myriad risks, many companies purchase tools and implement solutions without proper coordination and governance. In addition, focusing mainly on loss prevention can cause an organization to miss opportunities to drive performance by understanding which risks to take and how to mitigate them. Problems arise whenever management has been scrambling to respond to rapid change. Yet the pace of change is not about to slow down, which is why integrating risk management has become so important. It s a proven method of consolidating gains, rationalizing solutions and pursuing growth. Given the risk landscape, now would be a good time to integrate risk management across your organization. Steps toward a more integrated and performance-driven approach may include the following: Start with goals and strategy. Begin by articulating management s goals and the strategy for achieving them. Then identify the full range of risks financial, operational, economic, political, technological, cyber, cultural, regulatory and reputational that could undermine implementation of the strategy and achievement of the goals. Adopt company-wide practices: Adopting a common risk governance and management framework and risk assessment methodology will rapidly accelerate integration of risk management. So will fostering a common risk language and taxonomy. A common risk framework, methodology and language generates a clear understanding of risks, optimizes allocation of resources, enhances management and board reporting on risks, and facilitates risk-related training. and potential impact. It then identifies ways of lessening their likelihood and mitigating their impact. The result should be a deep understanding of the risks to address to protect and create value and a clear picture of mitigated and unmitigated exposures. The results then inform the risk appetite, tolerances and profile. Look to the three lines of defense. The three lines of defense model can be valuable in defining and coordinating riskrelated roles and responsibilities. At every level of every business and function, people need to understand the risks within their area and which ones they own and are accountable for managing. Internal audit and external resources can be particularly valuable for their objective advice regarding risk management infrastructure. Use cyber risk management to foster integration. The pervasiveness of digital technologies makes cyber a lever for integrating risk management. 7 New technologies regularly disrupt (or enable) strategies and business models. Meanwhile, every person in the organization as well as third parties can expose the organization to cyber risk. An integrated approach to cyber risk can serve as an entry point to integrating risk management and as a laboratory for such efforts. Get the help you need. External expertise can help your organization to assess its compliance and risk management maturity, conduct a risk assessment, rationalize and optimize controls and compliance processes and integrate risk management. To learn more about how Grant Thornton works with clients to help them navigate their risks, visit gt.com/risk. Conduct a comprehensive risk assessment. A comprehensive risk assessment considers all risks to the organization and interrelationships among risks, and assesses their likelihood 7 Taking AIM at cyber risk, Grant Thornton, 2016 <https://www.grantthornton.com/~/media/content-page-files/advisory/pdfs/2016/adv-taking-aim-at-cyber-risk-2.ashx> 6 Achieving integrated risk management

Contacts Vishal Chawla National Managing Principal Risk Advisory Services T +1 703 847 7580 E vishal.chawla@us.gt.com Jose Molina Principal T +1 312 602 8330 E jose.molina@us.gt.com Shawn Stewart Partner T +1 949 608 5220 E shawn.stewart@us.gt.com Achieving integrated risk management 7

GT.COM Grant Thornton refers to Grant Thornton LLP, the U.S. member firm of Grant Thornton International Ltd (GTIL), and/or refers to the brand under which the GTIL member firms provide audit, tax and advisory services to their clients, as the context requires. GTIL and each of its member firms are separate legal entities and are not a worldwide partnership. GTIL does not provide services to clients. Services are delivered by the member firms in their respective countries. GTIL and its member firms are not agents of, and do not obligate, one another and are not liable for one another s acts or omissions. In the United States, visit grantthornton.com for details. 2017 Grant Thornton LLP All rights reserved U.S. member firm of Grant Thornton International Ltd.

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback