© 2012 Deloitte Global Services Limited

Improving Audit Committee Responsiveness to Emerging Risks

June 12, 2015

© 2012 Deloitte Global Services Limited

Agenda

• Overview of Risk Management Framework (“RMFs”)

• Key concepts relating to identification of risks

• Identifying emerging risks

• Responding to emerging risks

• Q&As

2

3

The importance of risk assessment and proper oversight by the Audit Committee

• Audit Committees are responsible for overseeing financial risks and the process of

identifying and addressing those risks

• Risk oversight has taken on increased importance in recent years

• An established RMF helps keep risks “top of mind” and instill a proactive risk culture within

the organization

• Brings leadership focus to the most significant business risks and mitigation of those risks

• Provides clear accountability and ownership of risks and improves understanding of risk

interrelationships

© 2012 Deloitte Global Services Limited4

Key questions for audit committees to ask concerning risk

management…

1. What are the company’s policies and processes for assessing and managing major

financial risk exposures on an enterprise wide basis?

2. What are the key risks and plans to address them

3. Has the company clearly defined its risk appetite and obtained board approval

4. How capable is the company in responding to and recovering from a major financial risk

exposure?

5. Does the company have a process in place to identify and monitor emerging risks

Key Concepts

Risk is defined as:

What does this mean?

Risk stems from

uncertainties - external and

internal sources

Risk should be

considered in the broadest

sense

Risk is identified on a

forward looking basis

– consider time frame

Risk could be a potential threat or an opportunity

Risk needs to be managed

after considering

existing mitigation

activities and risk

appetite/tolerance

Risk inter-relationship should be

considered

6

Exposure to an event (or a series of events) that can affect the achievement of a firm’s strategy and

objectives

© 2012 Deloitte Global Services Limited7

Monitor mitigation plans

Risk Management Framework process

A necessary and relevant business process to identify and continually evaluate, manage and monitor risks to business strategies and objectives on an entity-wide basis A common framework to manage all types of risks (internal and external, loss of opportunities and threats) to achieve maximum risk-adjusted returns

The process of creating a risk universe

Risk Universe

‘Grouping of risks into categories based on common characteristics and definitions of risks’

Review strategy & objectives

Identify risks

Group risks under risk categories

Develop draft risk universe

Review and validate risk

universe

Finalize risk universe

1 2 3 4 65

8

Example of risk categories and sub-categories

Client ServiceRegulatory &

LegalTalent Operational

Economy and market conditions

Competition

Acquisitions, alliances & other transactional

arrangements

Priority market focus

Strategy selection and execution

Innovation

Client portfolio

Client and engagement acceptance

Service Delivery models

Client service delivery

Regulatory strategy

Regulatory/ professional compliance

Cross-border liability

Confidentiality and security of information

Compliance with firm policies

Sufficiency and suitability of talent

Culture and engagement

Infrastructure and process effectiveness

Safety

Financial management

Strategic

9

Risk Capacity, Appetite, Tolerance and Limits

• Risk Capacity - The volume of risk that an organization can take, in context of:o Available capital and ability to raise capitalo Strength of risk management and capabilities and operational processeso Risk and control cultureo Strategic position and competitive position

• Risk Appetite – The amount of risk an entity is willing to take on given its capacity to bear risk and its philosophy on risk taking.

• Risk Limits – A group of thresholds that set limits on acceptable actions and exposures. If risk limits are adhered to by a particular business unit, then that business unit can be said to be operating within the company’s risk tolerance.

10

Inherent Risk – Risk Management = Residual Risk• Based on business

objectives, strategy and operating environment

• Mitigation activities are not considered

• Helps define risk tolerance and if risks are over-controlled

• Risk mitigation/management activities (including internal controls)

• People, Process, Technology

• Automated vs. Manual

• Preventative and Detective

• Mitigation activities are considered

• Helps identify top risks which require actioning

• Helps determine risk management/control effectiveness

Inherent and residual risk

11

Risk assessment criteriaDefinitions

Likelihood

The probability that the risk will occur within the next three years, given the risk mitigation (management and/or monitoring) activities currently in place

Speed of onset (Optional)The speed at which the risk is likely to have an impact on the firm

Potential impactThe impact that an occurrence of the risk would have on the firm’s ability to successfully achieve its objectives, given the risk mitigation (management and/or monitoring) activities currently in place

12

Risk trend (Optional)The direction of the risk exposure as a result of features in the current environment and/or the member firm’s operations that heighten or lessen the risk in the period under review

Risk assessment result (cont’d)Displaying result in the form of a heat map – worked example

By considering likelihood and impact, risks are mapped as follows:

ID Potential Risks

ARisk A

BRisk B

CRisk C

DRisk D

A

C

Assure Risk Mitigation is Effective

Enhance Risk Mitigation

Redeploy resources

Measure for Cumulative Impact

Lo

wH

igh

Imp

act

Me

diu

m

Likelihood

Medium HighLow

13

B

D

Inherent and residual risk assessment Flow of a residual risk assessment

14

Review the risk

Assess likelihood

Assess impact

Identify risk trend and speed of onset

(Optional)

Exposure acceptable,

cautionary or unacceptable?

Acceptable

Unacceptableor Cautionary

Improvement opportunity?Identify risk owner

Reviewroot cause(s)

Develop mitigationplans

Identify mitigation plan owner

Mitig

ation

Plan

SIGN OFF

Emerging Risk Management

Emerging Risk Management

Quote from Donald Rumsfeld, former US Sec of Defense

“there are known knowns – these are things we know that we know.

There are known unknowns – these are things that we know we don’t know

There are also unknown unknowns – there are things we don’t know we don’t know• Known knowns represent risks we have identified and are managing• Known unknowns represent emerging risks• Unknown unknowns represent risks out there we are yet to recognize

Why invest time in emerging risk management?

An organization needs to address emerging risks to protect its business and generate potential opportunities for the organization, depending on whether the risk is internal or external.

16

Emerging Risk Management – controlling the ticking time bomb

Emerging risks are those an organization has not yet recognized or those which are known to exist, but are not well understood.

Potential losses are particularly uncertain due to insufficiency of information or time to fully analyze the emerging situation

Usually have a characteristic of high impact / low likelihood

Black swan events – Events with low probability but has massive consequences. These are dismissed as improbably beforehand then rationalized after they occurred

Existing risk management is reactive, based on historical information and has a shorter term horizon. Emerging risks management lacks precedent or history and is more qualitative and requires “out of the box” thinking

17

Deloitte18

Deloitte19

New Emerging Risk Insights

Characteristics of emerging risks

• High level of uncertainty

• Lack of consensus

• Uncertain relevance

• Difficult to communicate

• Difficult to assign ownership

• Systemic or “business practice” issues

20

Emerging RisksBest Practices

• Conduct emerging risk reviews and brainstorming workshops (cross functional)

• Consider performing reverse stress testing (what could cause a business to fail and understand the risks / events that could lead to this)

i.e. energy plant melt down

• Integrate emerging risk review into the strategic planning process and adjust assumptions to take account of risks that impact longer term goals

• Challenge conventional thought processes and expectations (Champion & challenger approach)

21

Emerging RisksBest Practices

• Understand the uncertainties inherent in your strategy• Use robust scenario planning to evaluate managements view of the

future• Watch out for risks embedded in the organizations culture• Make sure that someone owns the most critical emerging risks• Perform a look back analysis on new risks that emerged during the past

12 months and how they could have been mitigated• Understand that many risks are interconnected and that risk

management is dynamic and interactive• Refresh the above process at least annually and consider trending of

risks

22

EXAMPLES OF EMERGING RISK INDICATORS

RISK INDICATORS

Future shortage of skills and talent Shifting demographics, falling national educational attainment levels, restrictive immigration policies

Lack of business resilience Breadth and diversity of supply chain and/or distribution channels, open internal communications channels

Market disruption through technological innovation

Lack of technological agility, dependency on legacy systems for core processes, vendor lock-in on key systems

Political instability impacting on market Deteriorating public trust in politicians or business-government relations, rising popularity of extremist parties

Environmental disaster Increasing incidence of extreme weather events, underlying trends in temperature and rainfall, loss of biodiversity

Sudden market realignment Trends in demographics and longevity, new migration patterns, rapid development of emerging markets

Challenging economic environment Growing trade protectionism, asset price collapse, over concentration on single industry sector

Cyber attack Increase in hacking and other suspicious online activity

Reputational damage Negative industry coverage in media, negative sentiment on social media

Emerging RisksKey questions for the audit committee to consider

1. Is management monitoring changes in the business environment to identify risks inherent in the corporate strategy?

2. Are changes made to the strategy in a timely manner?

3. Does management evaluate who may take unreasonable risk in the organization

4. Are there lines of business generating unusual returns that no one outside of the unit understands?

5. Does management evaluate whether the incentive compensation structure can lead to unacceptable risk taking

6. Is there a process for identifying extreme “black swan” events

7. If there a well defined crisis management plan in place to deal with unexpected events that could damage the reputation

24

25

Effective risk management is dependent on:– Strong risk culture– Continuous “tone at the top” messaging and strong risk awareness– Adequate and customized training and education– Embedding the Risk Management Framework into governance and

management practices

An effective Framework increases the Audit Committee’s confidence:– That all significant business risks are being proactively managed– That potential emerging risks are being monitored – That the business has the ability to realize its strategy and capitalize

on opportunities

Closing Remarks

Q&As

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.

Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte's approximately 195,000 professionals are committed to becoming the standard of excellence.

This publication is for internal distribution and use only among personnel of Deloitte Touche Tohmatsu Limited, its member firms, and their related entities (collectively, the “Deloitte Network“). None of the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this publication.

© 2015 Deloitte Caribbean and Bermuda Limited and its affiliates