UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: Enterprise Risk Management (ERM)


Published on

  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: Enterprise Risk Management (ERM)

  1. 1. Board Governance - Enterprise Risk Management Forum for Corporate Directors – Leadership in the Board Room UC Irvine – The Paul Merage School of Business Executive MBA Program July 18, 2009
  2. 2. Agenda  Defining risk…  A new risk paradigm  ERM – a process point of view  Drivers of ERM  ERM roles and responsibilities  A practical approach to ERM Enterprise risk assessment Risk management framework assessment Page 2 UC irvine Executive MBA – Enterprise Risk Management
  3. 3. Defining risk… “A risk the threat that an event, action, or non-action could adversely affect an organization’s ability to achieve its business objectives and execute its strategies successfully.” Page 3 UC irvine Executive MBA – Enterprise Risk Management
  4. 4. A new risk paradigm Leading organizations expand their view of risks and enhance risk management beyond the traditional compliance function. Keep Us Out of Trouble Make Our Business Better Growing Number of Restatements Bigger Fines and Settlements goal Coordinated Risk Activities Enhanced Business Processes Expanding Stiffer Risk-Adjusted Effective Use Regulation Sanctions Decisions of Technology Catastrophic Criminal Improved Risk Reduced Total Reputational Indictments Reporting and Risk Spend Consequences Disclosure All too confusing and overdone… Must do it… Except when we get in trouble But how do we do it better? Page 4 UC irvine Executive MBA – Enterprise Risk Management
  5. 5. Enterprise Risk Management (ERM) – a process point of view “Enterprise risk management is a e ns ng c nc gi t io process, effected by an entity’s rti ia te ra pl po ra pe m St Re board of directors, management, Co O Internal Environment and other personnel, applied in strategy setting and across the Objective Setting enterprise, designed to identify Event Identification potential events that may affect the Risk Assessment entity, and manage risk to be Risk Response within its risk appetite, to provide reasonable assurance regarding Control Activities the achievement of entity Information & Communication objectives.” Monitoring Source: COSO – Enterprise Risk Management – Integrated Framework Page 5 UC irvine Executive MBA – Enterprise Risk Management
  6. 6. Drivers of ERM
  7. 7. Greater complexity of business environment and decision making Various internal and external drivers and developments require companies to become more effective and efficient at managing risks. External Drivers Internal Drivers Changing and expanding regulatory More dynamic / business models and requirements changing technology requirements Instability of economic and market Greater distribution of business conditions activities, locations, etc. Geo-political developments Increasing interdependencies on Increasing litigations and fines business relationships (alliances, JV) Focus on preservation and leverage of Increasing scrutiny by rating agencies intangible assets and listing exchanges Greater sophistication and scrutiny by Increasing cost and/or scarcity of board members resources (material and labor) Focus on risk-adjusted decision making Rapidly changing competitive landscape Others… Others… Page 7 UC irvine Executive MBA – Enterprise Risk Management
  8. 8. Business advantages of good risk management Benefits for stakeholders: Benefits for the Surveys point to the value the financial markets and organization: investment analysts ascribe to those companies that ► Avoid surprises can demonstrate good risk management. – A routine process to identify and manage Fewer negative surprises potential issues ► Better governance Greater financial stability – Clear risk roles and responsibilities Greater certainty of profitability – Clear risk communication, Lower investment risk language, reporting and escalation Better long-term share price performance ► Better decision making Greater confidence to retain / – Considering the business increase stake impact of a broader range of scenarios Greater transparency ► Efficiencies Lower share price volatility – More effective and efficient risk functions Adds company value – Less overlap and fewer 0 5 10 15 20 25 30 35 gaps in risk coverage % of respondents (N = 137) Page 8 UC irvine Executive MBA – Enterprise Risk Management
  9. 9. Shareholder value of risk management A survey of 137 institutional investors managing some of the worlds largest funds concluded the following on the question if “it was worth paying a premium for companies that can demonstrate a successful approach to risk management.” Strongly Agree (31%) Agree Somewhat (51%) Disagree somewhat (6%) Strongly disagree (7%) Not specified (5%) Source: Global Risk Survey of 137 Institutional Investors managing the worlds largest funds, November 2005 Page 9 UC irvine Executive MBA – Enterprise Risk Management
  10. 10. ERM consideration in the S&P debt rating evaluation Scoring ERM in the debt rating process:  S&P indicates that assessing a company’s risk management capabilities is the most subjective of all areas when assigning a credit rating  The process started to roll out in Q3 of 2008 with the introduction of the framework model and a focus on building specific industry benchmarks  Rating adjustments expected in Q1/Q2 2009  Ultimately, the evaluation of risk management may directly impact an organization’s cost of capital Page 10 UC irvine Executive MBA – Enterprise Risk Management
  11. 11. ERM roles and responsibilities
  12. 12. ERM roles and responsibilities (examples) Board of Directors ERM Steering Committee  Is ultimately responsible for ERM program  Assembles executive from key functional areas  Approves risk appetite and risk tolerances and risk management functions  Contributes knowledge on risks specific to  Approves risk catalog and assessment methods particular business functions  Sets standards regarding risk policies and  Communicates directly with business unit programs managers to promote ERM and obtain relevant  Monitors the quality of the program information  Shares experiences regarding risk strategies and CEO risk mitigation tactics  Coordinates design, implementation, and  Coordinates ERM training and reporting monitoring of the ERM program  Contributes to the definition of risk policy, Risk Owner appetite, and tolerance  Assumes responsibility for the implementation,  Assigns roles and responsibilities for design, use, and monitoring of risk management implementation, and monitoring techniques  Decides on resource allocations for risk  Contributes to risk assessment and ensures that management strategies risk response strategies remain pertinent and effective  Decides on risk indicators, thresholds, and implementation of risk response strategies  Documents implemented ERM efforts and reports on relevant risk issues / developments  Reports to the board on risk issues Page 12 UC irvine Executive MBA – Enterprise Risk Management
  13. 13. The role of Internal Audit Coordinating of k Cons RM framewor RM Co t of E oli al a ch dated ov hmen ing ppr Fa te repo rd a ERM activities cil ma veloping the E e ti ablis ita nag pp boa tin rting R ka ev gi g est e es for ie me ris de w ss o n ri s in nti he egy nt i ce g n fic gt ro pioni th n re e ati t ra t tp ttin ks Ev m de en s on alu an isk Ms spo Se Cham em ati ag r & Maintaining & ng on ag em ER ev ndi th e e nc an alu en ra ng re m ng po to u ss ati k rtin fk opi to r ris Ev a a on lua go ey nt es ons ng e v el isk of ting fk ris em sp si ey ag k re po risk ks De ris s ris n ris Im ma Ma ks nag ks s on em ent is ion Givin pro dec lf g ass ces kin g beha uran ses Ma ent’s ce th agem at ris man ks ar e cor ons e on rectly resp evalu g risk Giving assura ated m entin nc e on the risk Imple for risk manag ement managemen t pr ocess Accountability Core internal audit roles Legitimate internal audit Roles internal audit in regard to ERM roles with safeguards should not undertake Source: IIA UK – The Role of Internal Auditing in Enterprise-wide Risk Management Page 13 UC irvine Executive MBA – Enterprise Risk Management
  14. 14. A practical approach to ERM
  15. 15. High-level risk management lifecycle Establish Risk Identify Value Develop consistent risk Context & Drivers taxonomy and risk Governance repository and align relevant risks with value drivers (strategies, objectives, initiatives) Monitor & Report Risk Management Identify Risks Components Risk Culture Frequently monitor Define consistent effectiveness of risk Policy & Mandate assessment criteria response (e.g., controls) Infrastructure & People based on risk appetite and report on results and tolerances and Methods & Practices assess relevant risks Information & Technology Assess Risk Assess Risks Response Conclude on preliminary Define appropriate risk effectiveness of risk response strategy (i.e., response and develop Develop Risk acceptance, mitigation, action plan for monitoring Response sharing, transfer, etc.) Page 15 Avery – Risk assessment / ERM workshop
  16. 16. A practical approach to ERM Enterprise Risk Assessment Risk Management (ERA) Transformation 1 Identify, assess and prioritize the key risks to achieving the organization’s ► Define improve and monitor efforts for the most significant business objectives risks to business objectives ► Embed and sustain ongoing risk assessment and monitoring into 3 existing management processes ► Alignand coordinate risk and control groups across the Risk Management Framework breadth of the organization Assessment (RMFA) 2 ► Define focus areas for framework Evaluate the maturity of design and enhancements aligned to consistency in application of the risk industry risks and leading management and internal control practice benchmarks framework Page 16 UC irvine Executive MBA – Enterprise Risk Management
  17. 17. A practical approach to ERM (overview) 1 2 Enterprise Risk Risk Management Framework Assessment Assessment Ke y b u s in e s C o m p r e h e n s i v e r is k c o v e r a g e s K e y b u s in e s s R is k a n d o b je c t iv r is k s c o n t r o l a c t iv it ie s C o o r d i n a t i o n a c r o s s t h e “ li n e s o f d e f e n s e ” e s New Product Revenue and Treasury Internal Executive Development market share Strate gic As s e s s Audit management Monitoring and control functions y g e t a r t s s s e ni s u B Operations and business units Marketing & IT Advertising Reputation Support functions and brand Operations Sourcing & Compliance Board Tax Oversight Procurement Im p r o v e Asset Manufacturing Finance Audit Financial & Production Internal control and capital committee management Distribution Legal & Logistics Earnings and Risk Other operating Complianc e M o n it o r Customer Management committees HR margins Support A li g n m e n t t o b u s i n e s s o b je c t iv e s Page 17 UC irvine Executive MBA – Enterprise Risk Management
  18. 18. ERA – identifying risks in the context of the business drivers Changes to Strategy, Merger and People, Process, Acquisition Activity Technology Reputation and Brand Do the stakeholders have a favorable view? Revenue and Asset and Market Share Capital Management How does the Business Drivers How efficient organization grow? is the organization? Earnings and Operating Margins New Product and Service How profitable is External Events or the organization? Developments Developments Page 18 UC irvine Executive MBA – Enterprise Risk Management
  19. 19. ERA – a common categorization and understanding of risks A common risk taxonomy and risk assessment method is the cornerstone of an effective ERA process. RiskUniverse™ Categories Key Questions  Planning and Resource Allocation  What are our key risks and how do we  Major Initiatives Strategic  Mergers, Acquisition and Divestures measure the relevance of those risks?  Market Dynamics  Communication and Investor Relations  Are we focused on the risks that matter?  Sales & Marketing  Supply Chain Operations  People  Who is accountable for the key risks?  Information Technology  Hazards  Are resources aligned to our risk profile?  Physical Assets  Market Financial  Liquidity and Credit  Are we accepting the right level of risk?  Accounting and Reporting  Tax  Are we receiving a fair return on that risk?  Capital Structure  Governance Compliance  Code of Conduct  Who is monitoring the significant risks?  Legal  Regulatory  How are we improving key controls? Page 19 UC irvine Executive MBA – Enterprise Risk Management
  20. 20. ERA – common techniques to assess and prioritize risks A company may employ quantitative or qualitative risk assessment models, which need to be understood and accepted by the respective risk owners and executive management: Quantitative Models Qualitative Models Methods /  Value at Risk (VaR)  Risk map Techniques  Cash Flow at Risk (CaR)  Self-assessments, interviews,  Earnings at Risk (EaR) or facilitated workshops  Monte Carlo Simulation  SWOT analysis  Others  Scenario analysis  Others Assessment  Target or industry  Risk Assessment Criteria (RAC) with Criteria benchmarks impact and likelihood thresholds Important  Requires availability of sufficient  Knowledge and judgment of Consideration amount of data or individuals involved is critical understanding of models  Well suited where risks don’t lend  Well suited for financial risks themselves for quantification Page 20 UC irvine Executive MBA – Enterprise Risk Management
  21. 21. ERA – relating risk appetite, risk tolerance and risk limits to prioritize risks Risk The broad based amount of risk a company is able to accept in pursuit of its Capacity mission, vision, business objectives and overall strategic goals - directly related to an entity’s capital, liquidity and external stakeholder influence The broad-based aggregate amount of risk a company is willing to accept in Risk pursuit of its mission, vision, business objectives and strategic goals - directly Appetite related to an entity’s risk capacity as well as its culture, desired level of risk, risk management capability and business strategy The specific maximum applicable to each category of risk regarding the Risk magnitude of risks that the organization is willing to take to achieve its strategy and objectives - set such that the aggregation of risk tolerances ensures the Tolerance organization operates within the risk appetite The optimal level of risk that the organization desires to take to achieve specific business objectives and operate within its appetite/tolerance for risk – Risk Target defines the balance between risk and reward - risk target is based on the management’s desired returns, the role of risk to achieve those returns and capability to manage the risk/reward profile Thresholds to ensure that variation from expected outcome will be consistent with the risk target, but will not exceed the risk appetite/tolerance – defines Risk Limits process level controls and management authorities and should reflect risk limits Page 21 UC irvine Executive MBA – Enterprise Risk Management
  22. 22. ERA – risk map / assessment outputs (example) Risk No Tier 1 risks High 25.0 1 Emerging Markets – Growth 1 Liquidity — Cash Improve Monitor 2 Management 20.0 6 Controls 3 Key Supplier Dependence 3 (Impact x likelihood) 2 5 12 4 Debt – Cost of Capital Risk exposure 15.0 9 5 IT – Security and Privacy 4 7 11 6 Sourcing - Global 10.0 Competition 8 10 IT - Infrastructure 7 Efficiency Monitor Accept Joint Venture 5.0 8 Relationships Risks Optimize Ineffective Financial 9 Planning and Forecasting 0.0 Competitive Recruitment Low 10 and Retention 1.0 2.0 3.0 4.0 5.0 Focus and alignment of Low Management preparedness High 11 Acquisitions and Integration Evolving Regulatory 12 Changes – United States Markets Page 22 UC irvine Executive MBA – Enterprise Risk Management
  23. 23. RMFA – a view of required competencies Leveraging the information obtained through the ERA, the company evaluates the design and application of the risk management competencies to define improvement opportunities.  Do we have the proper oversight on risk and control?  Are risk decisions made with proper guidance? Strategy Governance & Mandate  Does the culture encourage taking the appropriate risks? s Im es pro People  Are efforts effectively aligned and s As v coordinated to manage risk? e  Are risk and control activities efficient Methods and Practices and effective?  How are risks and controls assessed, monitored and improved? Monitor Page 23 UC irvine Executive MBA – Enterprise Risk Management
  24. 24. RMFA – key focus areas to be assessed The evaluation of an organization’s risk management capabilities should be focused on a variety of key components and identify opportunities for enhancements across the organization. Governance People Methods and Practices Tone At The Top Culture and Performance Risk Identification and Assessment Strategies and Alignment and Objectives Coordination Risk Management Design and Policy and Procedures Competence and Effectiveness Capabilities Organizational Process Improvement Structure Roles and and Efficiency Responsibilities Compliance Monitoring and Communication Reporting Technology Page 24 UC irvine Executive MBA – Enterprise Risk Management
  25. 25. Wrap-up
  26. 26. P rinciple s of Effe of successful ERM programs 6 key elements ctive Ris k Ma na ge me nt • Agreed risk strategy The Board and management must provide guidance on the appropriate strategy and E&Y’s ERM point of view approach to Risk Management aligned to the organizational strategy. • Clear governance framework The Board will usually delegate day-to-day governance through an oversight structure that includes an enterprise risk committee and/or a chief risk officer. • Efficient Risk Management processes The organization needs defined procedures for assessing and continuously monitoring risks on an enterprise wide basis. • Appropriate technology Effective systems providing access to information about risk identification, assessment and solutions to support the Risk Management processes. • Coordination of Risk Management functions Integrated risk functions embedded within the business to leverage expertise across the entire organization. • The right culture and capability Everyone in the organization must be attuned to the risk culture and performance measurements must be risk based. Page 26 UC irvine Executive MBA – Enterprise Risk Management
  27. 27. Parting comments… “A ship in harbor is safe -- but that is not what ships are built for.” John A. Shedd, Salt from My Attic, 1928 …Questions? Page 27 UC irvine Executive MBA – Enterprise Risk Management
  28. 28. Speaker’s bio Peter Rosenzweig has more than 17 years experience in the assessment, design, and implementation of complex risk management and internal control frameworks, including IT risk and control structures. Peter serves as regional subject matter resource in the application of Ernst & Young’s Enterprise Risk Management methodology and he has assisted various large organizations with the implementation or transformation of enterprise-wide risk management capabilities. Contact Information Peter Rosenzweig Ernst & Young LLP Risk Advisory Services Direct: 213.977.5849 peter.rosenzweig@ey.com About Ernst & Young Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 130,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve potential. For more information, please visit www.ey.com. Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.