Your SlideShare is downloading. ×
Building an ERM Framework for Credit Unions
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Building an ERM Framework for Credit Unions


Published on

This presentation highlights Doxim's Best Practices for building an ERM framework for Credit Unions. See how Doxim's RiskManager can help facilitate the effective management of an ERM Program. Visit …

This presentation highlights Doxim's Best Practices for building an ERM framework for Credit Unions. See how Doxim's RiskManager can help facilitate the effective management of an ERM Program. Visit for more information.

Published in: Economy & Finance, Business

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • Good afternoon everyone and thank you for attending today’s webinar; Enterprise Risk Management: Building an ERM framework. Now for those of you that are new to Doxim webinars we ask that you submit all questions and comments in the comment box at the bottom of your GoTo Webinar user interface and we’ll answer them during our Q&A session at the end of the webinar …so don’t be shy and ask away. And as a reminder if you’re unable to stay until the end of the webinar we will be emailing out a link to the on-demand recording of this webinar in the coming days.Now it is my pleasure to have Ingrid Robinson, Senior Manager Enterprise Risk ServicesSharon Russell, Privacy Officer and Doxim’s resident expert on Risk Management
  • Now to quickly go over today’s agenda we will be covering how to build an ERM framework, but we start by:Defining the fundamentals of ERMDetail some of the activity in the regulatory landscapeAnd then dive into some of the best practices of building an ERM framework and show how our solution, Doxim RiskManager can help facilitate the effective management of an ERM programAnd then we’ll wrap things up with a Q & A session at the end – so again if you have questions at any time during the webinar feel free to ask away in the chat box at the bottom of your GUI.
  • Finally, just a quick overview of the products and services that Doxim supplies to the CU space
  • POLL 1: where are you with you ERM program?Not started – need helpImplemention UnderwayFully Implemented
  • Segue to sample set of risks that have been identified as required work – show as report with risks and actions and updatesShow how Doxim Risk Manager is able to provide all required reports for maintaining the Risk Program
  • POLL #2: Please rate your interest in Doxim’s ERM solution, RiskManager.Very Interested Please Set Up a DemoSomewhat Interested – Send me more informationNot Right Now – please follow up with me in a monthNot Interested – currently using excel spreadsheetsNot Interested – using a similar tool to Doxim RiskManager
  • Ingrid to give a brief description of the ERM workshopsPOLL #3: Please rate your interest in attending an ERM workshop.Very Interested – please send me detailsSomewhatInterested – would like to know moreNot Interested – my ERM program is humming
  • At this point, I’ll open it up to any questions, but if you’d like to learn more about doxim you can visit or if you’d like to learn more about MNP you can visit their website We've also listed a variety of ways you can stay in touch with Doxim here on this slide.Again keep the questions coming simply submit them at in the chat box at the bottom of the GoToWebinar User Interface and we’ll try to answer as many as we can without going over the allotted time.First question….1.        How as a Board member can I get comfort that management’s likelihood and impact scores are reasonable? ·        Understand the process taken and participant involvement ·        Group discussion on primary risks with management and the Board to go through the risks in detail ·        Gut-check/reality check ·        In the longer-term credit union Board members will have a better handle on the risks 2.        How can ERM be used to demonstrate risk management of new products/initiatives to the regulator? ·        Embedding ERM into core businesses and planning processes allows management to effectively  update the organization’s risk profile and understand what risk scenarios or events may be emerging ·        From our discussions with regulators, there have been challenges with new  products, services and systems that have led to organizational failures or failing to meet objectives that have resulted in financial losses and a lot of time and effort ·        initiatives should have a robust risk assessment strategy that is developed by management and approved by the Board ·        The business planning process for new initiatives should have defined objectives and from there you can conduct a risk assessment of the new product and develop a risk management strategy with ongoing reporting 3. Benefit of using risk manager vs excel?4. Whats included in the standard RiskManager offering?I’d like to thank for attending today’s webinar: Building an ERM Framework If you would like to learn more you can visit or contact us at In addition you can follow us on twitter @doxim_inc, like us on facebook at, subscribe to our YouTube channel, DoximTV. And if you missed something or would like to share the contents of this webinar we will also be sending out a follow up email tomorrow with an on-demand recording of this webinar for you to view and share at your convenience. Thank you again and have a great day.
  • Transcript

    • 1. Enterprise Risk Management Building an ERM Framework
    • 2. Agenda Enterprise Risk Management (ERM) Defined ERM Regulatory Landscape Building an ERM Framework ERM Key Success Factors Q & A session
    • 3. Doxim Inc.• Established in 2000• Headquarters in Toronto, Canada• Serving hundreds of clients: Financial services & service providers• Growth: Solid recurring revenue business model• SaaS delivery model• Platforms: Automated document processing, ECM, client onboarding and ERM solutions• Highly available, redundant cloud computing platform
    • 4. MNP LLP Founded in 1945 7th largest accountancy and advisory firm in Canada 80 locations and 3,000 team members
    • 5. MNP LLP – Enterprise Risk ServicesEnterprise Risk service line:  Enterprise Risk Management  Regulatory Compliance  Technology Risk  Internal Audit  Business Resilience  Security & Forensics
    • 6. What is ERM?Enterprise RiskManagement (ERM) is arigorous and coordinatedapproach to assessingand responding to all therisks (both upside anddownside) that affect theachievement of anorganization’s objectives
    • 7. Siloed Risk ManagementOrganizations typically undertake some risk managementactivities but may lack an integrated and disciplined process Strategic Regulatory Financial Reputation Human Resource Insurance Business IT Interruption Political Environmental
    • 8. Leading ERM Methodology (ISO 31000) (AS/NZS 4360)
    • 9. What is ERM Governance? Risk Governance is about three things: 1. Understanding limits of acceptable risk 2. Providing confidence and guidance to management 3. Anticipating events to position firm for success(National Association of Corporate Directors Blue Ribbon Commission on Risk Governance, 2009
    • 10. ERM Value Proposition Early Warning Systems  Systematically identify, assess and prioritize risks No Big  Avoid unrewarded risks Surprises  Promote organizational learning among management  Reduce chance of repeat problems Operational Resilience  Provide assurance that key risks are understood and mitigated  Prevent and rapidly respond to potential catastrophic failures No Big Mistakes  Secure and protect staff, processes, and technology  Align organizational goals with stakeholder requirements Enhance Organizational Value No Big  Seek growth, ensuring threats are understood and vulnerabilities Missed are mitigatedOpportunities  Accelerate ability to respond to change and opportunities  Identify opportunities to improve performance and reduce costs
    • 11. Global Financial CrisisConditions triggered economic downward spiral:  Sub-prime meltdown  Liquidity crisis  Extreme market volatilityRepercussions spread to broader economy:  Global credit market constriction  Reduced consumer demand  Volatile commodity prices, currencies and stock prices
    • 12. ERM Outcome Balancing risk/reward more challenging Risk is more complex, interconnected and potentially devastating than ever before Companies are re-assessing strategies for responding to challenges and pressures Board risk oversight function has taken centre stage!
    • 13. ERM Regulatory LandscapeCanada: National Policy 58-201 (2005)Board should adopt mandate explicitlyacknowledging responsibility for: Adopting strategic plan that takes opportunities and risks of the business into account Identification of principal risks, and ensuring implementation of appropriate systems to manage these risks
    • 14. ERM Regulatory LandscapeBasel (2011): Principles for Sound Operational Risk ManagementBoard and senior management should establish a strongrisk management culture with standards and incentives forresponsible behaviour: Requires Framework for operational risk that is fully integrated with overall risk management processes Boards must periodically review Framework and approve risk appetite and tolerance statements for operational risk Defined risk policies must be in place Public disclosure of risk management practices required
    • 15. ERM Regulatory LandscapeCanada: DICO By-law 5 (2011) Class 2 Credit Unions must have a comprehensive ERM Framework in place (scaled to size, complexity and risk profile) Class 1 Credit Unions required to implement and monitor prudent risk management policies for significant risks
    • 16. Building an ERM Framework Risk Framework enables objectives, risks and control to be aligned throughout the organization It harnesses the power of the enterprise to work towards the achievement of organizational strategy and objectives It builds risk management and control into every day business activities at all levels of the organization
    • 17. MNP’s ERM MethodologyRisk management must be viewed as a process, not an event t ERM Framework ERM Risk Management Framework u Risk Assessment ERM Risk Assessment x Optimization v Risk Treatment Continuous Develop ERM Improvement Prevention & Response Strategies w Response Monitoring Monitor ERM Design & Implement Compliance & Solutions Performance (ISO 31000)
    • 18. ERM Framework Roadmap Dimensions of a Risk Management Framework Risk Culture Infrastructure & Resources & Tools & Techniques & Policies Organization Capabilities  Tools & techniques Organizational Mindset  Authority, Responsibility  Installing Centres to support the efficient Tone at the Top & Accountability of Competency & effective identification, Standards/Protocols  Bottom-up Structure  Communication measurement, & Awareness management & Risk Appetite &  Top-down Structure  Learning & Education reporting of risk Tolerance  Monitoring Functions
    • 19. ERM Framework Roadmap Dimensions of a Risk Management Framework Risk Culture Infrastructure & Resources & Tools & Techniques & Policies Organization CapabilitiesKey activities: Gain Executive and Board level commitment for ERM Framework Establish the risk management philosophy and develop a risk management policy Communicate the ERM initiative and policy to management and staff Review current risk management practices Determine risk appetite and risk tolerances
    • 20. Risk Appetite & Risk ToleranceCorporate Strategy is governed by thewillingness of an organization to acceptrisk in the pursuit of value creationRisk Appetite establishes theboundaries for the broad risk takingactivities of the organization  Guidepost in strategy setting  Reflects entity’s risk management philosophy  Can be qualitative or quantitative
    • 21. Risk Appetite & Risk ToleranceRisk Tolerance is the level of variationan organization is willing to acceptaround the achievement of objectives:  Generally quantitative (measured the same as related objectives)  Considers relative importance of objectives (aligns with risk appetite)  Performance measures used to ensure results adhere to tolerances
    • 22. ERM Framework Roadmap Dimensions of a Risk Management FrameworkRisk Culture Infrastructure & Resources & Tools & Techniques & Policies Organization Capabilities  Define mandates, roles & responsibilities and assign and/or hire personnel
    • 23. ERM Roles & Responsibilities Governance, Assure Stakeholders Board Tone at the Top, Policy, Set Risk Appetite, Executive Monitor reporting, Performance Management Risk Process, Tools, Advice, Monitoring, Develop Corporate Risk & Train Risk Champions, Ensure Quality and Department Ownership, Escalating, Reporting to Board Facilitate Risk Management Process at Site or for Risk Champions a Function Ensure mitigation action plans undertaken Confirm quality of the assessment, monitoring Risk Owners and status reporting of their risks. Identify / Assess / Mitigate / All Employees Monitor / Escalate
    • 24. ERM Framework RoadMap Dimensions of a Risk Management Framework Risk Culture Infrastructure & Resources & Tools & Techniques & Policies Organization Capabilities  Develop training and awareness programs for personnel with key risk management role  Roll out program to all staff and management
    • 25. ERM Framework Roadmap Dimensions of a Risk Management FrameworkRisk Culture Infrastructure & Resources & Tools & Techniques & Policies Organization Capabilities  Establish context
    • 26. Establishing the Context Vision What we want to be? Mission How we want to get there? Values What is important to us? Strategy What is our game plan? Strategic InitiativesERM What are the objectives and priorities? Risk Management What are the risks that will impact our objectives? Strategy Execution How are we going to accomplish what needs to be done?
    • 27. ERM Framework Roadmap Dimensions of a Risk Management FrameworkRisk Culture Infrastructure & Resources & Tools & Techniques & Policies Organization Capabilities Develop risk identification, assessment and risk treatment processes  Ongoing – escalation of new risks  Annual self-assessment
    • 28. Credit Union Risk Universe INTERNAL EXTERNAL VALUE CHAIN CONDITIONS CONDITIONS Strategic Business Setting  Corporate Governance &  Social/Economic (global Board Effectiveness Lending and local market stability;  Transparency & Financial  Lending evaluation demographics) Integrity Operational Financial (commercial /  Political (government  Strategy Development &  Fraud (money  Market risk personal) fiscal and monetary policy; Implementation laundering, identity  Liquidity and Funding  Credit default regulatory developments )  Strategic Partnerships & theft, debit card  Foreign Exchange  Credit concentration  Competition (financial Relationships skimming, etc.)  Capital Management  Environmental (e.g. services industry) Performance Measurement  Business Continuity  Structural (asset/liability member purchase of  Technological  Reputation/Brand  Insurance matching) contaminated Advancement Mergers/Acquisitions, Dives  Physical Infrastructure  Interest Rates property)  Provincial expansions tures / Facilities  Accounting standards  Distribution Networks  Capital Project (IFRS) (branch openings, ATM, on- Management line  Third Party Reliance/ banking, insurance, etc.) Outsourcing  Member satisfaction  New Product IT Systems Introduction Human Resources Compliance  Capacity & Availability  Financial Reporting &  Staffing Levels & Skills  Regulatory (DICO, Basel Cultural  IT Disaster Recovery Disclosure  Development, II Accord, Bill C-10, credit  Goal Alignment  Security  Financial, Scenario & Performance & card interchange fees,  Communication  Strategy & Operational Planning Succession Federal Bank Act, OSFI,  Change Management Architecture  Financial Policies  Recruitment & Retention etc.)  Ethics & Values  Reliability & Efficiency (accounting standards  Compensation &  Legal (including contract  Social Responsibility  Information Systems compliance) Incentives (Executive) management)  Accountabilities &  System Conversions  Branch Controls  Employee Satisfaction  Employment Empowerment  Innovation / Emerging  Employee Conduct  Privacy Technology
    • 29. Sample Likelihood Scores Likelihood Descriptor Probability of occurrence Score 1 Improbable/Remote < 5% in one year or once in 20 years 2 Unlikely/Might 4% to 20% in one year or once in 15-20 years Happen 3 Possible 20% to 40% in one year or once in 10-15 years 4 Good Chance 40% to 50% in one year or once in every 5 years 5 Probable/Likely 50% to 80% in one year or once in every 5 years 6 Definitely/Certain >80% in one year or once every 1-2 yearsSource: DICO ERM Application Guide
    • 30. Sample Impact ScoresImpact Descriptor Quantitative Impact Qualitative Impact Score 1 Minimal or Insignificant $ or % of dollar loss No loss to reputation No members lost Negligible effect on member Insignificant impact on capital No regulatory consequences No service disruption 2 Slight or Minor $$ or % of dollar loss Adverse reaction by affect members $$ or % revenue loss Few members affect # or % of members lost Business Disruption < 1 day Minor impact on capital 3 Moderate $$ or % of dollar loss Adverse reaction by members $$ or % revenue loss Some member affected Regulatory # or % of members lost attention Minor impact on capital Business Disruption >1 but less than 2 days 4 High $$ or % of dollar loss Adverse reaction in news $$ or % revenue loss Many members affected # or % of members lost Regulatory warning Material impact on capital Business disruption 2-7 days 5 Very High $$ or % of dollar loss Adverse reaction is news $$ or % revenue loss Most member affected # or % of members lost Regulatory intervention Major impact on capital Business Disruption longer than 7 days 6 Severe or Catastrophic $$ or % of dollar loss Loss of reputation $$ or % revenue loss All members affected # or % of members lost Cease Operations Catastrophic impact on capital Cannot Recover ServiceSource: DICO ERM Application Guide
    • 31. Risk Assessment – Severity Matrix RISK RATING MATRIX Happens all the time with high LIKELIHOOD RATING A certainty. Will happen with L18 M11 H6 H3 H1 very high certainty. Happens frequently with high B certainty. Will happen with L20 M14 M10 H4 H2 high certainty. It could happen. Seen it C happen before. L22 L19 M12 H7 H5 Reasonably certain it wont D happen. It may happen at L24 L21 M15 M13 H8 some point. Doubt it could happen. May E occur in exceptional L25 L23 M17 M16 H9 circumstances. 1 2 3 4 5 IMPACT RATING Revenue <1% 1-5% 5 - 20 % 20 - 50 % > 50 % (variance to budgeted ounces) Dollar Impact Cost <1% 1-5% 5 - 20 % 20 - 50 % > 50 % (variance to budgeted costs) Project Schedule Delay < 2 weeks 2 - 4 weeks 1 - 3 months 3 - 6 months > 6 months Project Budget <1% 1-5% 5 - 20 % 20 - 50 % > 50 % (variance to budgeted costs) Value <1% 1-5% 5 - 20 % 20 - 50 % > 50 % (reduction to NPV) Increased reporting Fall out of compliance Temporary shut down and Legislation, Laws, Regulations that cause: standards and regulatory and increasing scrutiny operating uncertainty Temporary closure Complete shutdown burden from regulatorsLicence to Operate Moderate stakeholder Strong stakeholder Stakeholder Relations Potential stakeholder Some stakeholder Vehement stakeholder opposition and bad opposition and & Reputation opposition opposition publicity operational interruptions opposition No impact on stakeholder Limited impact on Medium impact on High impact on Loss of stakeholder Stakeholder Relations confidence in stakeholder confidence in stakeholder confidence in stakeholder confidence in confidence in & Reputation management of the management of the management of company management of company management of company company company
    • 32. Doxim RiskManager
    • 33. Doxim RiskManager for ERMTalking with our Credit Union customers over the past 12 plus monthsDoxim has identified a need within the CU space:Regulatory mandates are driving need to implement ERM  DICO, DGCM, CUDIC, etc…  Subset of risk management imperativeDifficult to manage manuallyNeed a cost effective, purpose built toolDoxim RiskManager:  Best of breed, cloud based solution  Easy to use, secure, collaborative  Manage all risks across a Credit Union
    • 34. Doxim RiskManager DemoDemo of key capabilities aligned with ERM Roadmap:  Strategic drivers  Work from your strategic drivers out  Understand risk universe  Align all risks under the strategic drivers  Manage and resource your risks  Identifying inherent likelihood and impact  Compare risk scores to risk appetite  Identify the risk owners  Develop risk responses  Risk monitoring/reporting  Optimization  Continuous improvement  Dashboards and reporting
    • 35. ERM Framework Roadmap Dimensions of a Risk Management FrameworkRisk Culture Infrastructure & Resources & Tools & Techniques & Policies Organization Capabilities  Develop risk monitoring processes:  Identify risks that need to be monitored  Establish risk indicators  Assign responsible party and establish frequency for monitoring risk indicators
    • 36. ERM Framework Roadmap Dimensions of a Risk Management FrameworkRisk Culture Infrastructure & Resources & Tools & Techniques & Policies Organization Capabilities  Develop risk reporting processes  Regular ongoing reporting  Exception reporting  Develop risk management tools (templates or software)  Continuous improvement
    • 37. Doxim RiskManager
    • 38. Doxim RiskManager Benefits SaaS solution = monthly fee vs big upfront investment Priced for the Credit Union marketplace Fully scalable for any sized organization Secure multi-tenant environment ensures data privacy Pre-built content: DICO, DGCM and other provincial ERM regulations framework preloaded Facilitates collaboration across departments/locations
    • 39. Doxim RiskManager Benefits One version for all users Not a black box  Universal accessibility and visibility Supports multi-user access Flexible, real time reporting:  Pre-built and adhoc  Custom Dashboards Multiple user levels  i.e. admin, user, & view only  User based permissions
    • 40. What Does Success Look Like? Tone set at the top Risk management integrated within decision-making Risk management linked to performance management Proactive risk assessment, monitoring and reporting Risk Management embedded in business processes
    • 41. Contact InformationFor ERM consultation and workshops:Ingrid Robinson, MFAc, CPA, CIA, CRMASenior Manager, Enterprise Risk Services, MNP LLP416-515-3934ingrid.robinson@mnp.caFor ERM Solution, Doxim RiskManager Inquiries:Sharon RussellEnterprise Risk Manager, Privacy
    • 42. Connect With Us @Doxim_Inc