The document outlines an agenda for a 2009 conference on internal audit solutions that will discuss the evolving roles of the Chief Risk Officer and Chief Audit Executive, strategies for an effective partnership between these roles, and how the current economic crisis has impacted enterprise risk management approaches. It also provides background on the development of these risk management roles and compares the key responsibilities of the Chief Risk Officer and Chief Audit Executive.
1. 2009 Internal Audit Solutions for Tough Times Conference
San Diego, California
Presented by:
John A. Wheeler, Managing Principal
Wheelhouse Advisors LLC
2. Learn about the evolving role of the Chief Risk Officer
(“CRO”) both before and during the current global
economic crisis
Develop an understanding of the complementary
aspects of the CRO and Chief Audit Executive (“CAE”)
roles, as well as the potential conflicts to avoid
Discover strategies and critical success factors for an
effective CRO & CAE partnership
1
3. GE Capital
In 1993, GE entered the capital markets business and
needed a broad understanding of a risk profile that it
did not understand well
The CRO title was coined by James Lam who first
served in the role
Responsible for developing an integrated approach for
credit, market and operational risks within the Financial
Guaranty Insurance Group
Based on a similar concept of the Chief Information
Officer (“CIO”) who is responsible for integrating IT
resources and elevating the role of technology in the
business
Source: “Enterprise Risk Management: From Incentives to Controls”, James Lam
2
4. Original version published in
1992 and served as the
foundation for auditors and
management to evaluate the
interrelationships of risks and
controls
Focused primarily on
operational risk, but
promoted a newly adopted
risk-based approach to
auditing
3
5. Over the next decade, internal
auditors worked to implement
COSO
Developed a more complete risk
mindset
Educated management as well
as the board of directors
Were limited in their ability to
fully implement an effective risk
management program due to
independence concerns
COSO viewed as a good start,
but incomplete
4
6. Clients, Products, & Internal Fraud
Business Practice
People
Damage to Physical Employment Practices
Assets and Workplace Safety
External Operational
Process
Events Risk
External Fraud Execution, Delivery, &
Process Management
Systems
Business Disruption and
System Failures
5
7. In 2004, COSO enhanced the
integrated framework to
extend beyond operational risk
Emphasized the continuous
nature of an effective program
Established the critical link to
strategic planning and
solidified the need for a true
CRO within an organization
6
9. Articulating the organization’s risk
appetite
Integrating risk management
disciplines and streamlining
approaches
Wavering support from the board
of directors and/or the CEO
Not having the full complement of
skills required for the role
Tight budgets / making a
compelling business case
Organizational culture
Misaligned incentives and lack of
accountability
8
10. The Chief Audit Executive
(“CAE”) typically has both
the full appreciation and
perspective of the company’s
entire risk portfolio
The CAE and the CRO share a
common goal of providing
reasonable assurance of the
successful achievement of
company objectives
9
11. Chief Risk Officer Chief Audit Executive
• Providing the overall leadership, vision and • Evaluating the risk portfolio and determining
direction for Enterprise Risk Management business activities to monitor and/or exam
• Establishing an integrated risk management • Providing independent assurance on the
framework and developing the supporting effectiveness of the risk management
infrastructure program as well as compliance with
• Developing risk management policies, applicable laws and regulations
including the articulation of management’s • Investigating and reporting incidents of fraud
risk appetite or ethical violations
• Implementing a set of risk indicators and • Serving as an internal consultant on risk
reports related activities such as providing education
• Allocating economic capital to business and facilitating risk evaluation
activities based on risk profile • Communicating independent view and key
• Communicating the company’s risk profile findings to management and the board of
to key stakeholders directors
10
12. Reporting relationships –
CAE must maintain
independence
Political influence over
decision making
Inappropriate shift of
responsibility, particularly
during times of expense
control and resource / skill
constraints
11
13. How has the recession and economic Recent crisis
turmoil impacted your ERM approach?
0% 10% 20% 30% 40% 50%
demonstrates the need
for a holistic, integrated
Reinforcing role of the CRO approach to ERM
Involving board and senior In most cases, ERM
executives more in ERM
cannot be led on a part-
Expanding ERM to cover
more types of risk
time basis by the CEO or
other member of C-suite
Reassessing risk culture
Need to combine risk
Involving all employees in
ERM
discipline and analysis
with sound business
Not making any changes
judgment
Source: 2009 Treasury & Risk Magazine ERM Survey
12
14. What aspect of risk management is posing the
greatest challenge to your company? Board members from major
Other
3% U.S. public companies see
room for improvement in
their ERM programs in
Assessing risks
Indentification
17%
many areas
of risks
17% Addressing these concerns
Tracking and
reporting on will require a solid
risks Mitigation of partnership between the
9% risks
21%
CRO & CAE
Understanding
Acting on the the link Right skills and technology
risk
information
between
strategy and
are critical to successful
8% risks improvement
25%
Source: 2009 KPMG Audit Committee Survey
13
15. Chief Risk Officer Chief Audit Executive
Ensure risk management is Provide objective, unbiased
fully incorporated in the viewpoint of risk
strategic planning process management practices
Align performance, risk and through peer and
compensation management competitor benchmarking
systems Perform risk-based audits
Focus on both quantitative that equally challenge both
and qualitative aspects of risk high performing and poor
profile – do not blindly accept performing business units
model results Exercise authority to
Maintain consistent investigate fraud
communication channels and Proactively communicate
agreement on risk appetite any gaps in risk assessment
or mitigation plans to
management
14
16. Risk & Control Program Analysis
Program Maturity Evaluation
Benchmarking
Gap Analysis
Enhancement Road Map
Enterprise Risk Assessment
Framework Construction
Risk Catalog Creation
Risk Appetite Definition
Risk Assessment Methodology
Governance, Risk & Compliance
Automation
Requirements Definition
System Evaluation / Selection
Implementation Assistance
Compliance Process Improvement
Organizational Review
Process Analysis & Redesign
15
17. Wheelhouse Advisors LLC
1170 Peachtree Street
Suite 1200
Atlanta, Georgia 30309
John Wheeler, Managing Principal
+1 (404) 805-9203 x1703
john.wheeler@wheelhouseadvisors.com
16