UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: Enterprise Risk Management (ERM)

Board Governance -
Enterprise Risk Management
Forum for Corporate Directors – Leadership in the
Board Room
UC Irvine – The Paul Merage School of Business
Executive MBA Program

July 18, 2009

Agenda

 Defining risk…
 A new risk paradigm
 ERM – a process point of view
 Drivers of ERM
 ERM roles and responsibilities
 A practical approach to ERM
Enterprise risk assessment
Risk management framework
assessment

Page 2 UC irvine Executive MBA – Enterprise Risk Management

Defining risk…

“A risk the threat that an event,
action, or non-action could
adversely affect an organization’s
ability to achieve its business
objectives and execute its
strategies successfully.”


A new risk paradigm

Leading organizations expand their view of risks and enhance risk
management beyond the traditional compliance function.

Keep Us Out of Trouble Make Our Business Better

Growing Number
of Restatements
Bigger Fines
and Settlements goal Coordinated
Risk
Activities
Enhanced
Business
Processes

Expanding Stiffer Risk-Adjusted Effective Use
Regulation Sanctions Decisions of Technology

Catastrophic Criminal Improved Risk Reduced Total
Reputational Indictments Reporting and Risk Spend
Consequences Disclosure

All too confusing and overdone… Must do it…
Except when we get in trouble But how do we do it better?


Enterprise Risk Management (ERM) – a
process point of view
“Enterprise risk management is a

e
ns

ng
c

nc
gi

t io
process, effected by an entity’s

rti

ia
te

ra

pl
po
ra

pe

m
St

Re
board of directors, management,

Co
O
Internal Environment
and other personnel, applied in
strategy setting and across the Objective Setting

enterprise, designed to identify Event Identification
potential events that may affect the Risk Assessment
entity, and manage risk to be
Risk Response
within its risk appetite, to provide
reasonable assurance regarding Control Activities

the achievement of entity Information & Communication
objectives.” Monitoring

Source: COSO – Enterprise Risk Management – Integrated Framework


Greater complexity of business environment
and decision making
Various internal and external drivers and developments require
companies to become more effective and efficient at managing risks.

External Drivers Internal Drivers
Changing and expanding regulatory More dynamic / business models and
requirements changing technology requirements
Instability of economic and market Greater distribution of business
conditions activities, locations, etc.
Geo-political developments Increasing interdependencies on
Increasing litigations and fines business relationships (alliances, JV)
Focus on preservation and leverage of
Increasing scrutiny by rating agencies
intangible assets
and listing exchanges
Greater sophistication and scrutiny by
Increasing cost and/or scarcity of
board members
resources (material and labor)
Focus on risk-adjusted decision making
Rapidly changing competitive
landscape Others…
Others…

Business advantages of good risk
management
Benefits for stakeholders: Benefits for the
Surveys point to the value the financial markets and organization:
investment analysts ascribe to those companies that ► Avoid surprises
can demonstrate good risk management. – A routine process to
identify and manage
Fewer negative surprises
potential issues
► Better governance
Greater financial stability
– Clear risk roles and
responsibilities
Greater certainty of profitability
– Clear risk communication,
Lower investment risk language, reporting and
escalation
Better long-term share price
performance
► Better decision making
Greater confidence to retain / – Considering the business
increase stake impact of a broader range
of scenarios
Greater transparency
► Efficiencies
Lower share price volatility – More effective and efficient
risk functions
Adds company value – Less overlap and fewer
0 5 10 15 20 25 30 35 gaps in risk coverage
% of respondents (N = 137)


Shareholder value of risk management

A survey of 137 institutional investors managing some of the worlds
largest funds concluded the following on the question if “it was worth
paying a premium for companies that can demonstrate a successful
approach to risk management.”

Strongly Agree (31%)
Agree Somewhat (51%)
Disagree somewhat (6%)
Strongly disagree (7%)
Not specified (5%)

Source: Global Risk Survey of 137 Institutional Investors managing the worlds largest funds, November 2005


ERM consideration in the S&P debt rating
evaluation
Scoring ERM in the debt rating process:
 S&P indicates that assessing a
company’s risk management capabilities
is the most subjective of all areas when
assigning a credit rating
 The process started to roll out in Q3 of
2008 with the introduction of the
framework model and a focus on building
specific industry benchmarks
 Rating adjustments expected in Q1/Q2
2009
 Ultimately, the evaluation of risk
management may directly impact an
organization’s cost of capital


ERM roles and responsibilities

ERM roles and responsibilities (examples)

Board of Directors ERM Steering Committee
 Is ultimately responsible for ERM program  Assembles executive from key functional areas
 Approves risk appetite and risk tolerances and risk management functions
 Contributes knowledge on risks specific to
 Approves risk catalog and assessment methods
particular business functions
 Sets standards regarding risk policies and  Communicates directly with business unit
programs managers to promote ERM and obtain relevant
 Monitors the quality of the program information
 Shares experiences regarding risk strategies and
CEO risk mitigation tactics
 Coordinates design, implementation, and  Coordinates ERM training and reporting
monitoring of the ERM program
 Contributes to the definition of risk policy, Risk Owner
appetite, and tolerance  Assumes responsibility for the implementation,
 Assigns roles and responsibilities for design, use, and monitoring of risk management
implementation, and monitoring techniques
 Decides on resource allocations for risk  Contributes to risk assessment and ensures that
management strategies risk response strategies remain pertinent and
effective
 Decides on risk indicators, thresholds, and
implementation of risk response strategies  Documents implemented ERM efforts and reports
on relevant risk issues / developments
 Reports to the board on risk issues


The role of Internal Audit

Coordinating of

k
Cons

RM framewor

RM
Co

t of E
oli

al
a ch

dated

ov
hmen
ing

ppr
Fa

te
repo

rd a
ERM activities
cil

ma

veloping the E

e ti
ablis
ita

nag

pp
boa
tin

rting
R

ka
ev gi

g est
e

es
for
ie

me

ris
de
w

ss
o n ri s
in nti

he
egy
nt i

ce
g

n
fic

gt

ro
pioni
th

n re
e
ati

t ra t

tp
ttin
ks
Ev m

de

en
s
on
alu an isk

Ms
spo

Se
Cham

em
ati ag r
&

Maintaining &
ng on

ag
em

ER
ev

ndi
th e e
nc

an
alu

en ra
ng
re

m
ng
po to u
ss
ati

k
rtin fk

opi
to r

ris
Ev a a
on

lua go ey nt es
ons

ng
e

v el
isk
of

ting fk ris em sp

si
ey ag k re

po
risk ks

De
ris

s
ris n ris

Im
ma Ma
ks

nag ks s on
em
ent is ion
Givin pro dec lf
g ass ces kin
g beha
uran ses Ma ent’s
ce th agem
at ris man
ks ar
e cor ons e on
rectly resp
evalu g risk
Giving assura ated m entin
nc e on the risk Imple for risk manag
ement
managemen
t pr ocess Accountability

Core internal audit roles Legitimate internal audit Roles internal audit
in regard to ERM roles with safeguards should not undertake

Source: IIA UK – The Role of Internal Auditing in Enterprise-wide Risk Management


High-level risk management lifecycle

Establish Risk Identify Value Develop consistent risk
Context & Drivers taxonomy and risk
Governance repository and align
relevant risks with value
drivers (strategies,
objectives, initiatives)

Monitor &
Report
Risk Management Identify Risks
Components
Risk Culture
Frequently monitor Define consistent
effectiveness of risk Policy & Mandate assessment criteria
response (e.g., controls) Infrastructure & People based on risk appetite
and report on results and tolerances and
Methods & Practices assess relevant risks
Information & Technology
Assess Risk
Assess Risks
Response

Conclude on preliminary Define appropriate risk
effectiveness of risk response strategy (i.e.,
response and develop Develop Risk acceptance, mitigation,
action plan for monitoring
Response sharing, transfer, etc.)

Page 15 Avery – Risk assessment / ERM workshop

A practical approach to ERM

Enterprise Risk Assessment Risk Management
(ERA) Transformation
1 Identify, assess and prioritize the key
risks to achieving the organization’s
► Define improve and monitor
efforts for the most significant
business objectives
risks to business objectives
► Embed and sustain ongoing risk
assessment and monitoring into
3 existing management processes
► Alignand coordinate risk and
control groups across the
Risk Management Framework breadth of the organization
Assessment (RMFA)

2
► Define focus areas for framework
Evaluate the maturity of design and enhancements aligned to
consistency in application of the risk industry risks and leading
management and internal control practice benchmarks
framework


A practical approach to ERM (overview)

1 2
Enterprise
Risk Risk Management Framework Assessment
Assessment
Ke y
b u s in e s C o m p r e h e n s i v e r is k c o v e r a g e
s
K e y b u s in e s s R is k a n d
o b je c t iv r is k s c o n t r o l a c t iv it ie s
C o o r d i n a t i o n a c r o s s t h e “ li n e s o f d e f e n s e ”
e s
New Product
Revenue and Treasury Internal Executive
Development
market share Strate gic As s e s s Audit management

Monitoring and control functions
y g e t a r t s s s e ni s u B

Operations and business units
Marketing &
IT
Advertising
Reputation

Support functions
and brand Operations Sourcing & Compliance Board
Tax

Oversight
Procurement
Im p r o v e
Asset Manufacturing
Finance Audit
Financial & Production Internal control
and capital committee
management
Distribution
Legal
& Logistics
Earnings and Risk Other
operating Complianc e M o n it o r
Customer Management committees
HR
margins Support

A li g n m e n t t o b u s i n e s s o b je c t iv e s


ERA – identifying risks in the context of the
business drivers
Changes to Strategy, Merger and
People, Process, Acquisition Activity
Technology Reputation and Brand
Do the stakeholders
have a favorable view?

Revenue and Asset and
Market Share Capital Management
How does the Business Drivers How efficient
organization grow? is the organization?

Earnings and
Operating Margins
New Product and Service How profitable is External Events or
the organization?
Developments Developments


ERA – a common categorization and
understanding of risks
A common risk taxonomy and risk assessment method is the
cornerstone of an effective ERA process.
RiskUniverse™ Categories Key Questions
 Planning and Resource Allocation
 What are our key risks and how do we
 Major Initiatives
Strategic  Mergers, Acquisition and Divestures measure the relevance of those risks?
 Market Dynamics
 Communication and Investor Relations  Are we focused on the risks that matter?
 Sales & Marketing
 Supply Chain
Operations  People  Who is accountable for the key risks?
 Information Technology
 Hazards  Are resources aligned to our risk profile?
 Physical Assets

 Market

Financial  Liquidity and Credit
 Are we accepting the right level of risk?
 Accounting and Reporting
 Tax
 Are we receiving a fair return on that risk?
 Capital Structure

 Governance

Compliance  Code of Conduct  Who is monitoring the significant risks?
 Legal
 Regulatory  How are we improving key controls?


ERA – common techniques to assess and
prioritize risks
A company may employ quantitative or qualitative risk assessment
models, which need to be understood and accepted by the respective
risk owners and executive management:

Quantitative Models Qualitative Models
Methods /  Value at Risk (VaR)  Risk map
Techniques  Cash Flow at Risk (CaR)  Self-assessments, interviews,
 Earnings at Risk (EaR) or facilitated workshops
 Monte Carlo Simulation  SWOT analysis

 Others  Scenario analysis
 Others

Assessment  Target or industry  Risk Assessment Criteria (RAC) with
Criteria benchmarks impact and likelihood thresholds

Important  Requires availability of sufficient  Knowledge and judgment of
Consideration amount of data or individuals involved is critical
understanding of models  Well suited where risks don’t lend
 Well suited for financial risks themselves for quantification


ERA – relating risk appetite, risk tolerance
and risk limits to prioritize risks
Risk The broad based amount of risk a company is able to accept in pursuit of its
Capacity mission, vision, business objectives and overall strategic goals - directly related to
an entity’s capital, liquidity and external stakeholder influence

The broad-based aggregate amount of risk a company is willing to accept in
Risk pursuit of its mission, vision, business objectives and strategic goals - directly
Appetite related to an entity’s risk capacity as well as its culture, desired level of risk, risk
management capability and business strategy
The specific maximum applicable to each category of risk regarding the
Risk magnitude of risks that the organization is willing to take to achieve its strategy
and objectives - set such that the aggregation of risk tolerances ensures the
Tolerance organization operates within the risk appetite
The optimal level of risk that the organization desires to take to achieve
specific business objectives and operate within its appetite/tolerance for risk –
Risk Target defines the balance between risk and reward - risk target is based on the
management’s desired returns, the role of risk to achieve those returns and
capability to manage the risk/reward profile
Thresholds to ensure that variation from expected outcome will be consistent
with the risk target, but will not exceed the risk appetite/tolerance – defines
Risk Limits process level controls and management authorities and should reflect risk
limits


ERA – risk map / assessment outputs (example)
Risk
No Tier 1 risks

High 25.0 1
Emerging Markets –
Growth
1 Liquidity — Cash
Improve Monitor 2
Management
20.0
6 Controls 3 Key Supplier Dependence
3
(Impact x likelihood)

2 5 12 4 Debt – Cost of Capital
Risk exposure

15.0 9
5 IT – Security and Privacy
4
7
11 6
Sourcing - Global
10.0 Competition
8
10 IT - Infrastructure
7
Efficiency
Monitor Accept Joint Venture
5.0 8
Relationships
Risks Optimize
Ineffective Financial
9
Planning and Forecasting

0.0 Competitive Recruitment
Low 10
and Retention
1.0 2.0 3.0 4.0 5.0
Focus and alignment of
Low Management preparedness High 11 Acquisitions and
Integration
Evolving Regulatory
12 Changes – United States
Markets


RMFA – a view of required competencies

Leveraging the information obtained through the ERA, the company
evaluates the design and application of the risk management
competencies to define improvement opportunities.
 Do we have the proper oversight on
risk and control?
 Are risk decisions made with proper
guidance?
Strategy
Governance
& Mandate

 Does the culture encourage taking the
appropriate risks?
s

Im
es

pro

People  Are efforts effectively aligned and
s
As

v

coordinated to manage risk?
e

 Are risk and control activities efficient
Methods and Practices and effective?
 How are risks and controls assessed,
monitored and improved?
Monitor


RMFA – key focus areas to be assessed

The evaluation of an organization’s risk management capabilities should
be focused on a variety of key components and identify opportunities for
enhancements across the organization.

Governance People Methods and Practices
Tone At The Top Culture and Performance Risk Identification and
Assessment
Strategies and Alignment and
Objectives Coordination Risk Management
Design and
Policy and Procedures Competence and
Effectiveness
Capabilities
Organizational
Process Improvement
Structure Roles and
and Efficiency
Responsibilities
Compliance
Monitoring and
Communication
Reporting
Technology


P rinciple s of Effe of successful ERM programs
6 key elements ctive Ris k Ma na ge me nt

• Agreed risk strategy The Board and management
must provide guidance on the appropriate strategy and E&Y’s ERM point of view
approach to Risk Management aligned to the
organizational strategy.

• Clear governance framework The Board will
usually delegate day-to-day governance through an
oversight structure that includes an enterprise risk
committee and/or a chief risk officer.

• Efficient Risk Management processes The
organization needs defined procedures for assessing and
continuously monitoring risks on an enterprise wide basis.

• Appropriate technology Effective systems providing
access to information about risk identification, assessment
and solutions to support the Risk Management processes.

• Coordination of Risk Management functions
Integrated risk functions embedded within the business to
leverage expertise across the entire organization.

• The right culture and capability Everyone in the
organization must be attuned to the risk culture and
performance measurements must be risk based.


Parting comments…

“A ship in harbor is safe -- but that is not
what ships are built for.” John A. Shedd, Salt from My Attic, 1928

…Questions?


Speaker’s bio

Peter Rosenzweig has more than 17 years experience in the assessment,
design, and implementation of complex risk management and internal
control frameworks, including IT risk and control structures. Peter serves
as regional subject matter resource in the application of Ernst & Young’s
Enterprise Risk Management methodology and he has assisted various
large organizations with the implementation or transformation of
enterprise-wide risk management capabilities.

Contact Information
Peter Rosenzweig
Ernst & Young LLP
Risk Advisory Services
Direct: 213.977.5849
peter.rosenzweig@ey.com

About Ernst & Young

Ernst & Young is a global leader in assurance, tax, transaction
and advisory services. Worldwide, our 130,000 people are united
by our shared values and an unwavering commitment to quality.
We make a difference by helping our people, our clients and our
wider communities achieve potential.

For more information, please visit www.ey.com.

Ernst & Young refers to the global organization of member firms
of Ernst & Young Global Limited, each of which is a separate
legal entity. Ernst & Young Global Limited, a UK company limited
by guarantee, does not provide services to clients.

UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: Enterprise Risk Management (ERM)

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (17)

Semelhante a UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: Enterprise Risk Management (ERM)

Semelhante a UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: Enterprise Risk Management (ERM) (20)