2. AGENDA
• Working Definition of Enterprise Risk Management (ERM)
• Components of ERM
• Talk through a “mock” ERM Program Review
• Look at some sample tools you can implement immediately
3. COMMONLY USED DEFINITIONS
• COSO’s ERM Framework
• ISO 31000
• Consultants
• FFIEC
• OCC
• Federal Reserve
• Wikipedia
4. MANAGEMENT
Wikipedia – Management
• Management in businesses is the function that coordinates the
efforts of people to accomplish goals and objectives by using
available resources efficiently and effectively. Management
includes planning, organizing, staffing, leading, and controlling
an organizations to accomplish the goal.
• Management involves identifying the mission, objective,
procedures, rules…to contribute to the success of the
enterprise.
5. RISK MANAGEMENT
Wikipedia – Risk Management
• The identification, assessment, and prioritization of risks followed
by coordinated and economical application of resources to
minimize, monitor, and control the probability and/or impact of
unfortunate events – or to maximize the realization of
opportunities. Risk management’s objective is to assure
uncertainty does not deflect the endeavor from the business goals.
• Risks can come from various sources including uncertainty in
financial markets, threats from project failures, legal liabilities,
credit risk, accidents, natural causes and disasters, deliberate
attack, or events of uncertain or unpredictable root cause.
6. ENTERPRISE RISK
MANAGEMENT
Wikipedia – Enterprise Risk Management
• Includes methods and processes used by organizations to
manage risks and seize opportunities related to the
achievement of their objectives. ERM provides a framework
for risk management, which typically involves identifying
events or circumstances relevant to the organization’s
objectives (risks and opportunities), assessing them in terms of
likelihood and magnitude of impact, determining a response
strategy, and monitoring progress.
7. COSO ERM FRAMEWORK
Enterprise risk management is a
process, effected by an entity’s
board of directors, management
and other personnel, applied in
strategy setting and across the
enterprise, designed to identify
potential events that may affect
the entity, and mange risk to be
within its risk appetite, to
provide reasonable assurance
regarding the achievement of
entity objectives.
8. ISO 3100 DEFINITION
Risk Management Framework
A set of components that provide
the foundations and
organizational arrangements for
designing, implementing,
monitoring, reviewing and
continually improving risk
management throughout the
organization.
10. ERM, SIMPLY STATED
• ERM is the process used to identify, measure, monitor, and
control risk
11. BUT, WHAT DOES ERM “LOOK LIKE”
• Most of us must be “doing” ERM at some level – the doors are
still open
• Can we do better / are there gaps in our program / how do we
know
13. KEY ERM “COMPONENTS”
• Board and senior management oversight
• Policies, procedures, and limits
• Risk measurement, monitoring, and reporting
• Internal controls
14. MOCK ERM PROGRAM REVIEW
• Gather Information
• Understand how your bank “sees” ERM and risk management
• Populate the Program Overview / Gap Analysis Tool
• Identify gaps
• Provide sample tools
15. STEP 1 – GATHER INFORMATION
• Strategic Plan / Goals and Objectives
• Policies
• Board / Executive Management Reports and Presentations
• Other Metrics
• Risk Assessments
• Internal Audit Scope / Schedule / Reports
16. STEP 2 - UNDERSTAND
• Read all information provided
• Talk to executive and senior managers, and also to board
members if possible
• Understand how you see risk management, the importance, the
drivers, your appetite for risk, and what you want out of your
ERM program.
17. STEP 3 – GAP ANALYSIS
• Customize the Program Overview / Gap Analysis tool to your bank
• Document your program elements in the Program Overview / Gap
Analysis tool.
• Definitions
• Governance (committees, risk owners)
• Key policies, procedures, and limits
• Risk assessments
• Reports and other communication protocols
• Internal control elements
• Risk appetite statements
• Key Risk / Performance Indicators
20. COMMON “GAPS”
• No ERM Policy or Framework
• No Enterprise Risk Assessment (Top 10 or Letterman List)
• Risk Appetite not documented
• Missing Key Risk Indicators
• No periodic ERM Summary Report to Board and Executive
Management
21. ERM POLICY OR FRAMEWORK
• The Program Overview / Gap Analysis Tool thoroughly
documents your program
• ERM Policy should be short, high level. Does not replace other
policies…more of an umbrella.
• Overall Policy Statement and Objectives
• Risk Appetite
• Risk Categories
• Program Elements (governance; risk measurement, monitoring,
and reporting; internal control system)
• Program Review
22. ENTERPRISE RISK ASSESSMENT
• Key Risk List – “Board Level” Risks – Letterman List – Top 10 List
• Survey senior and executive management to identify risk
inventory
• Normalize the risk inventory
• Department heads identify “top 5” risks to their departments and
rate risk and controls
• Risk committee to normalize risk ratings and identify most
significant bank wide risks (Top 10)
• Assign accountability and develop risk management action plans
for top risks
28. KEY RISK INDICATORS
• Key Risk Indicator (KRI) – a ratio or piece of information that
measures or provides insight into a key risk.
• Key Performance Indicators (KPI) – a ratio or piece of
information that measures performance.
• The most meaningful KRI’s and KPI’s will be directly related to
your Strategic Plan, Enterprise Risk Assessment, and Risk
Appetite Statements.
30. ERM SUMMARY REPORT
• A periodic (i.e. quarterly), concise summary report that goes to
the board and executive management.
• A great way to communicate to the regulators
• Promotes transparency
• Dashboards & graphs – a picture is worth a thousand words