UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: Enterprise Risk Management (ERM)
1. Board Governance -
Enterprise Risk Management
Forum for Corporate Directors – Leadership in the
Board Room
UC Irvine – The Paul Merage School of Business
Executive MBA Program
July 18, 2009
2. Agenda
Defining risk…
A new risk paradigm
ERM – a process point of view
Drivers of ERM
ERM roles and responsibilities
A practical approach to ERM
Enterprise risk assessment
Risk management framework
assessment
Page 2 UC irvine Executive MBA – Enterprise Risk Management
3. Defining risk…
“A risk the threat that an event,
action, or non-action could
adversely affect an organization’s
ability to achieve its business
objectives and execute its
strategies successfully.”
Page 3 UC irvine Executive MBA – Enterprise Risk Management
4. A new risk paradigm
Leading organizations expand their view of risks and enhance risk
management beyond the traditional compliance function.
Keep Us Out of Trouble Make Our Business Better
Growing Number
of Restatements
Bigger Fines
and Settlements goal Coordinated
Risk
Activities
Enhanced
Business
Processes
Expanding Stiffer Risk-Adjusted Effective Use
Regulation Sanctions Decisions of Technology
Catastrophic Criminal Improved Risk Reduced Total
Reputational Indictments Reporting and Risk Spend
Consequences Disclosure
All too confusing and overdone… Must do it…
Except when we get in trouble But how do we do it better?
Page 4 UC irvine Executive MBA – Enterprise Risk Management
5. Enterprise Risk Management (ERM) – a
process point of view
“Enterprise risk management is a
e
ns
ng
c
nc
gi
t io
process, effected by an entity’s
rti
ia
te
ra
pl
po
ra
pe
m
St
Re
board of directors, management,
Co
O
Internal Environment
and other personnel, applied in
strategy setting and across the Objective Setting
enterprise, designed to identify Event Identification
potential events that may affect the Risk Assessment
entity, and manage risk to be
Risk Response
within its risk appetite, to provide
reasonable assurance regarding Control Activities
the achievement of entity Information & Communication
objectives.” Monitoring
Source: COSO – Enterprise Risk Management – Integrated Framework
Page 5 UC irvine Executive MBA – Enterprise Risk Management
7. Greater complexity of business environment
and decision making
Various internal and external drivers and developments require
companies to become more effective and efficient at managing risks.
External Drivers Internal Drivers
Changing and expanding regulatory More dynamic / business models and
requirements changing technology requirements
Instability of economic and market Greater distribution of business
conditions activities, locations, etc.
Geo-political developments Increasing interdependencies on
Increasing litigations and fines business relationships (alliances, JV)
Focus on preservation and leverage of
Increasing scrutiny by rating agencies
intangible assets
and listing exchanges
Greater sophistication and scrutiny by
Increasing cost and/or scarcity of
board members
resources (material and labor)
Focus on risk-adjusted decision making
Rapidly changing competitive
landscape Others…
Others…
Page 7 UC irvine Executive MBA – Enterprise Risk Management
8. Business advantages of good risk
management
Benefits for stakeholders: Benefits for the
Surveys point to the value the financial markets and organization:
investment analysts ascribe to those companies that ► Avoid surprises
can demonstrate good risk management. – A routine process to
identify and manage
Fewer negative surprises
potential issues
► Better governance
Greater financial stability
– Clear risk roles and
responsibilities
Greater certainty of profitability
– Clear risk communication,
Lower investment risk language, reporting and
escalation
Better long-term share price
performance
► Better decision making
Greater confidence to retain / – Considering the business
increase stake impact of a broader range
of scenarios
Greater transparency
► Efficiencies
Lower share price volatility – More effective and efficient
risk functions
Adds company value – Less overlap and fewer
0 5 10 15 20 25 30 35 gaps in risk coverage
% of respondents (N = 137)
Page 8 UC irvine Executive MBA – Enterprise Risk Management
9. Shareholder value of risk management
A survey of 137 institutional investors managing some of the worlds
largest funds concluded the following on the question if “it was worth
paying a premium for companies that can demonstrate a successful
approach to risk management.”
Strongly Agree (31%)
Agree Somewhat (51%)
Disagree somewhat (6%)
Strongly disagree (7%)
Not specified (5%)
Source: Global Risk Survey of 137 Institutional Investors managing the worlds largest funds, November 2005
Page 9 UC irvine Executive MBA – Enterprise Risk Management
10. ERM consideration in the S&P debt rating
evaluation
Scoring ERM in the debt rating process:
S&P indicates that assessing a
company’s risk management capabilities
is the most subjective of all areas when
assigning a credit rating
The process started to roll out in Q3 of
2008 with the introduction of the
framework model and a focus on building
specific industry benchmarks
Rating adjustments expected in Q1/Q2
2009
Ultimately, the evaluation of risk
management may directly impact an
organization’s cost of capital
Page 10 UC irvine Executive MBA – Enterprise Risk Management
12. ERM roles and responsibilities (examples)
Board of Directors ERM Steering Committee
Is ultimately responsible for ERM program Assembles executive from key functional areas
Approves risk appetite and risk tolerances and risk management functions
Contributes knowledge on risks specific to
Approves risk catalog and assessment methods
particular business functions
Sets standards regarding risk policies and Communicates directly with business unit
programs managers to promote ERM and obtain relevant
Monitors the quality of the program information
Shares experiences regarding risk strategies and
CEO risk mitigation tactics
Coordinates design, implementation, and Coordinates ERM training and reporting
monitoring of the ERM program
Contributes to the definition of risk policy, Risk Owner
appetite, and tolerance Assumes responsibility for the implementation,
Assigns roles and responsibilities for design, use, and monitoring of risk management
implementation, and monitoring techniques
Decides on resource allocations for risk Contributes to risk assessment and ensures that
management strategies risk response strategies remain pertinent and
effective
Decides on risk indicators, thresholds, and
implementation of risk response strategies Documents implemented ERM efforts and reports
on relevant risk issues / developments
Reports to the board on risk issues
Page 12 UC irvine Executive MBA – Enterprise Risk Management
13. The role of Internal Audit
Coordinating of
k
Cons
RM framewor
RM
Co
t of E
oli
al
a ch
dated
ov
hmen
ing
ppr
Fa
te
repo
rd a
ERM activities
cil
ma
veloping the E
e ti
ablis
ita
nag
pp
boa
tin
rting
R
ka
ev gi
g est
e
es
for
ie
me
ris
de
w
ss
o n ri s
in nti
he
egy
nt i
ce
g
n
fic
gt
ro
pioni
th
n re
e
ati
t ra t
tp
ttin
ks
Ev m
de
en
s
on
alu an isk
Ms
spo
Se
Cham
em
ati ag r
&
Maintaining &
ng on
ag
em
ER
ev
ndi
th e e
nc
an
alu
en ra
ng
re
m
ng
po to u
ss
ati
k
rtin fk
opi
to r
ris
Ev a a
on
lua go ey nt es
ons
ng
e
v el
isk
of
ting fk ris em sp
si
ey ag k re
po
risk ks
De
ris
s
ris n ris
Im
ma Ma
ks
nag ks s on
em
ent is ion
Givin pro dec lf
g ass ces kin
g beha
uran ses Ma ent’s
ce th agem
at ris man
ks ar
e cor ons e on
rectly resp
evalu g risk
Giving assura ated m entin
nc e on the risk Imple for risk manag
ement
managemen
t pr ocess Accountability
Core internal audit roles Legitimate internal audit Roles internal audit
in regard to ERM roles with safeguards should not undertake
Source: IIA UK – The Role of Internal Auditing in Enterprise-wide Risk Management
Page 13 UC irvine Executive MBA – Enterprise Risk Management
15. High-level risk management lifecycle
Establish Risk Identify Value Develop consistent risk
Context & Drivers taxonomy and risk
Governance repository and align
relevant risks with value
drivers (strategies,
objectives, initiatives)
Monitor &
Report
Risk Management Identify Risks
Components
Risk Culture
Frequently monitor Define consistent
effectiveness of risk Policy & Mandate assessment criteria
response (e.g., controls) Infrastructure & People based on risk appetite
and report on results and tolerances and
Methods & Practices assess relevant risks
Information & Technology
Assess Risk
Assess Risks
Response
Conclude on preliminary Define appropriate risk
effectiveness of risk response strategy (i.e.,
response and develop Develop Risk acceptance, mitigation,
action plan for monitoring
Response sharing, transfer, etc.)
Page 15 Avery – Risk assessment / ERM workshop
16. A practical approach to ERM
Enterprise Risk Assessment Risk Management
(ERA) Transformation
1 Identify, assess and prioritize the key
risks to achieving the organization’s
► Define improve and monitor
efforts for the most significant
business objectives
risks to business objectives
► Embed and sustain ongoing risk
assessment and monitoring into
3 existing management processes
► Alignand coordinate risk and
control groups across the
Risk Management Framework breadth of the organization
Assessment (RMFA)
2
► Define focus areas for framework
Evaluate the maturity of design and enhancements aligned to
consistency in application of the risk industry risks and leading
management and internal control practice benchmarks
framework
Page 16 UC irvine Executive MBA – Enterprise Risk Management
17. A practical approach to ERM (overview)
1 2
Enterprise
Risk Risk Management Framework Assessment
Assessment
Ke y
b u s in e s C o m p r e h e n s i v e r is k c o v e r a g e
s
K e y b u s in e s s R is k a n d
o b je c t iv r is k s c o n t r o l a c t iv it ie s
C o o r d i n a t i o n a c r o s s t h e “ li n e s o f d e f e n s e ”
e s
New Product
Revenue and Treasury Internal Executive
Development
market share Strate gic As s e s s Audit management
Monitoring and control functions
y g e t a r t s s s e ni s u B
Operations and business units
Marketing &
IT
Advertising
Reputation
Support functions
and brand Operations Sourcing & Compliance Board
Tax
Oversight
Procurement
Im p r o v e
Asset Manufacturing
Finance Audit
Financial & Production Internal control
and capital committee
management
Distribution
Legal
& Logistics
Earnings and Risk Other
operating Complianc e M o n it o r
Customer Management committees
HR
margins Support
A li g n m e n t t o b u s i n e s s o b je c t iv e s
Page 17 UC irvine Executive MBA – Enterprise Risk Management
18. ERA – identifying risks in the context of the
business drivers
Changes to Strategy, Merger and
People, Process, Acquisition Activity
Technology Reputation and Brand
Do the stakeholders
have a favorable view?
Revenue and Asset and
Market Share Capital Management
How does the Business Drivers How efficient
organization grow? is the organization?
Earnings and
Operating Margins
New Product and Service How profitable is External Events or
the organization?
Developments Developments
Page 18 UC irvine Executive MBA – Enterprise Risk Management
19. ERA – a common categorization and
understanding of risks
A common risk taxonomy and risk assessment method is the
cornerstone of an effective ERA process.
RiskUniverse™ Categories Key Questions
Planning and Resource Allocation
What are our key risks and how do we
Major Initiatives
Strategic Mergers, Acquisition and Divestures measure the relevance of those risks?
Market Dynamics
Communication and Investor Relations Are we focused on the risks that matter?
Sales & Marketing
Supply Chain
Operations People Who is accountable for the key risks?
Information Technology
Hazards Are resources aligned to our risk profile?
Physical Assets
Market
Financial Liquidity and Credit
Are we accepting the right level of risk?
Accounting and Reporting
Tax
Are we receiving a fair return on that risk?
Capital Structure
Governance
Compliance Code of Conduct Who is monitoring the significant risks?
Legal
Regulatory How are we improving key controls?
Page 19 UC irvine Executive MBA – Enterprise Risk Management
20. ERA – common techniques to assess and
prioritize risks
A company may employ quantitative or qualitative risk assessment
models, which need to be understood and accepted by the respective
risk owners and executive management:
Quantitative Models Qualitative Models
Methods / Value at Risk (VaR) Risk map
Techniques Cash Flow at Risk (CaR) Self-assessments, interviews,
Earnings at Risk (EaR) or facilitated workshops
Monte Carlo Simulation SWOT analysis
Others Scenario analysis
Others
Assessment Target or industry Risk Assessment Criteria (RAC) with
Criteria benchmarks impact and likelihood thresholds
Important Requires availability of sufficient Knowledge and judgment of
Consideration amount of data or individuals involved is critical
understanding of models Well suited where risks don’t lend
Well suited for financial risks themselves for quantification
Page 20 UC irvine Executive MBA – Enterprise Risk Management
21. ERA – relating risk appetite, risk tolerance
and risk limits to prioritize risks
Risk The broad based amount of risk a company is able to accept in pursuit of its
Capacity mission, vision, business objectives and overall strategic goals - directly related to
an entity’s capital, liquidity and external stakeholder influence
The broad-based aggregate amount of risk a company is willing to accept in
Risk pursuit of its mission, vision, business objectives and strategic goals - directly
Appetite related to an entity’s risk capacity as well as its culture, desired level of risk, risk
management capability and business strategy
The specific maximum applicable to each category of risk regarding the
Risk magnitude of risks that the organization is willing to take to achieve its strategy
and objectives - set such that the aggregation of risk tolerances ensures the
Tolerance organization operates within the risk appetite
The optimal level of risk that the organization desires to take to achieve
specific business objectives and operate within its appetite/tolerance for risk –
Risk Target defines the balance between risk and reward - risk target is based on the
management’s desired returns, the role of risk to achieve those returns and
capability to manage the risk/reward profile
Thresholds to ensure that variation from expected outcome will be consistent
with the risk target, but will not exceed the risk appetite/tolerance – defines
Risk Limits process level controls and management authorities and should reflect risk
limits
Page 21 UC irvine Executive MBA – Enterprise Risk Management
22. ERA – risk map / assessment outputs (example)
Risk
No Tier 1 risks
High 25.0 1
Emerging Markets –
Growth
1 Liquidity — Cash
Improve Monitor 2
Management
20.0
6 Controls 3 Key Supplier Dependence
3
(Impact x likelihood)
2 5 12 4 Debt – Cost of Capital
Risk exposure
15.0 9
5 IT – Security and Privacy
4
7
11 6
Sourcing - Global
10.0 Competition
8
10 IT - Infrastructure
7
Efficiency
Monitor Accept Joint Venture
5.0 8
Relationships
Risks Optimize
Ineffective Financial
9
Planning and Forecasting
0.0 Competitive Recruitment
Low 10
and Retention
1.0 2.0 3.0 4.0 5.0
Focus and alignment of
Low Management preparedness High 11 Acquisitions and
Integration
Evolving Regulatory
12 Changes – United States
Markets
Page 22 UC irvine Executive MBA – Enterprise Risk Management
23. RMFA – a view of required competencies
Leveraging the information obtained through the ERA, the company
evaluates the design and application of the risk management
competencies to define improvement opportunities.
Do we have the proper oversight on
risk and control?
Are risk decisions made with proper
guidance?
Strategy
Governance
& Mandate
Does the culture encourage taking the
appropriate risks?
s
Im
es
pro
People Are efforts effectively aligned and
s
As
v
coordinated to manage risk?
e
Are risk and control activities efficient
Methods and Practices and effective?
How are risks and controls assessed,
monitored and improved?
Monitor
Page 23 UC irvine Executive MBA – Enterprise Risk Management
24. RMFA – key focus areas to be assessed
The evaluation of an organization’s risk management capabilities should
be focused on a variety of key components and identify opportunities for
enhancements across the organization.
Governance People Methods and Practices
Tone At The Top Culture and Performance Risk Identification and
Assessment
Strategies and Alignment and
Objectives Coordination Risk Management
Design and
Policy and Procedures Competence and
Effectiveness
Capabilities
Organizational
Process Improvement
Structure Roles and
and Efficiency
Responsibilities
Compliance
Monitoring and
Communication
Reporting
Technology
Page 24 UC irvine Executive MBA – Enterprise Risk Management
26. P rinciple s of Effe of successful ERM programs
6 key elements ctive Ris k Ma na ge me nt
• Agreed risk strategy The Board and management
must provide guidance on the appropriate strategy and E&Y’s ERM point of view
approach to Risk Management aligned to the
organizational strategy.
• Clear governance framework The Board will
usually delegate day-to-day governance through an
oversight structure that includes an enterprise risk
committee and/or a chief risk officer.
• Efficient Risk Management processes The
organization needs defined procedures for assessing and
continuously monitoring risks on an enterprise wide basis.
• Appropriate technology Effective systems providing
access to information about risk identification, assessment
and solutions to support the Risk Management processes.
• Coordination of Risk Management functions
Integrated risk functions embedded within the business to
leverage expertise across the entire organization.
• The right culture and capability Everyone in the
organization must be attuned to the risk culture and
performance measurements must be risk based.
Page 26 UC irvine Executive MBA – Enterprise Risk Management
27. Parting comments…
“A ship in harbor is safe -- but that is not
what ships are built for.” John A. Shedd, Salt from My Attic, 1928
…Questions?
Page 27 UC irvine Executive MBA – Enterprise Risk Management
28. Speaker’s bio
Peter Rosenzweig has more than 17 years experience in the assessment,
design, and implementation of complex risk management and internal
control frameworks, including IT risk and control structures. Peter serves
as regional subject matter resource in the application of Ernst & Young’s
Enterprise Risk Management methodology and he has assisted various
large organizations with the implementation or transformation of
enterprise-wide risk management capabilities.
Contact Information
Peter Rosenzweig
Ernst & Young LLP
Risk Advisory Services
Direct: 213.977.5849
peter.rosenzweig@ey.com
About Ernst & Young
Ernst & Young is a global leader in assurance, tax, transaction
and advisory services. Worldwide, our 130,000 people are united
by our shared values and an unwavering commitment to quality.
We make a difference by helping our people, our clients and our
wider communities achieve potential.
For more information, please visit www.ey.com.
Ernst & Young refers to the global organization of member firms
of Ernst & Young Global Limited, each of which is a separate
legal entity. Ernst & Young Global Limited, a UK company limited
by guarantee, does not provide services to clients.