© 2012 Deloitte Global Services Limited Improving Audit Committee Responsiveness to Emerging Risks...
-
Upload
charlene-jefferson -
Category
Documents
-
view
214 -
download
0
Transcript of © 2012 Deloitte Global Services Limited Improving Audit Committee Responsiveness to Emerging Risks...
© 2012 Deloitte Global Services Limited
Improving Audit Committee Responsiveness to Emerging Risks
June 12, 2015
© 2012 Deloitte Global Services Limited
Agenda
• Overview of Risk Management Framework (“RMFs”)
• Key concepts relating to identification of risks
• Identifying emerging risks
• Responding to emerging risks
• Q&As
2
3
The importance of risk assessment and proper oversight by the Audit Committee
• Audit Committees are responsible for overseeing financial risks and the process of
identifying and addressing those risks
• Risk oversight has taken on increased importance in recent years
• An established RMF helps keep risks “top of mind” and instill a proactive risk culture within
the organization
• Brings leadership focus to the most significant business risks and mitigation of those risks
• Provides clear accountability and ownership of risks and improves understanding of risk
interrelationships
© 2012 Deloitte Global Services Limited4
Key questions for audit committees to ask concerning risk
management…
1. What are the company’s policies and processes for assessing and managing major
financial risk exposures on an enterprise wide basis?
2. What are the key risks and plans to address them
3. Has the company clearly defined its risk appetite and obtained board approval
4. How capable is the company in responding to and recovering from a major financial risk
exposure?
5. Does the company have a process in place to identify and monitor emerging risks
Risk is defined as:
What does this mean?
Risk stems from
uncertainties - external and
internal sources
Risk should be
considered in the broadest
sense
Risk is identified on a
forward looking basis
– consider time frame
Risk could be a potential threat or an opportunity
Risk needs to be managed
after considering
existing mitigation
activities and risk
appetite/tolerance
Risk inter-relationship should be
considered
6
Exposure to an event (or a series of events) that can affect the achievement of a firm’s strategy and
objectives
© 2012 Deloitte Global Services Limited7
Monitor mitigation plans
Risk Management Framework process
A necessary and relevant business process to identify and continually evaluate, manage and monitor risks to business strategies and objectives on an entity-wide basis A common framework to manage all types of risks (internal and external, loss of opportunities and threats) to achieve maximum risk-adjusted returns
The process of creating a risk universe
Risk Universe
‘Grouping of risks into categories based on common characteristics and definitions of risks’
Review strategy & objectives
Identify risks
Group risks under risk categories
Develop draft risk universe
Review and validate risk
universe
Finalize risk universe
1 2 3 4 65
8
Example of risk categories and sub-categories
Client ServiceRegulatory &
LegalTalent Operational
Economy and market conditions
Competition
Acquisitions, alliances & other transactional
arrangements
Priority market focus
Strategy selection and execution
Innovation
Client portfolio
Client and engagement acceptance
Service Delivery models
Client service delivery
Regulatory strategy
Regulatory/ professional compliance
Cross-border liability
Confidentiality and security of information
Compliance with firm policies
Sufficiency and suitability of talent
Culture and engagement
Infrastructure and process effectiveness
Safety
Financial management
Strategic
9
Risk Capacity, Appetite, Tolerance and Limits
• Risk Capacity - The volume of risk that an organization can take, in context of:o Available capital and ability to raise capitalo Strength of risk management and capabilities and operational processeso Risk and control cultureo Strategic position and competitive position
• Risk Appetite – The amount of risk an entity is willing to take on given its capacity to bear risk and its philosophy on risk taking.
• Risk Limits – A group of thresholds that set limits on acceptable actions and exposures. If risk limits are adhered to by a particular business unit, then that business unit can be said to be operating within the company’s risk tolerance.
10
Inherent Risk – Risk Management = Residual Risk• Based on business
objectives, strategy and operating environment
• Mitigation activities are not considered
• Helps define risk tolerance and if risks are over-controlled
• Risk mitigation/management activities (including internal controls)
• People, Process, Technology
• Automated vs. Manual
• Preventative and Detective
• Mitigation activities are considered
• Helps identify top risks which require actioning
• Helps determine risk management/control effectiveness
Inherent and residual risk
11
Risk assessment criteriaDefinitions
Likelihood
The probability that the risk will occur within the next three years, given the risk mitigation (management and/or monitoring) activities currently in place
Speed of onset (Optional)The speed at which the risk is likely to have an impact on the firm
Potential impactThe impact that an occurrence of the risk would have on the firm’s ability to successfully achieve its objectives, given the risk mitigation (management and/or monitoring) activities currently in place
12
Risk trend (Optional)The direction of the risk exposure as a result of features in the current environment and/or the member firm’s operations that heighten or lessen the risk in the period under review
Risk assessment result (cont’d)Displaying result in the form of a heat map – worked example
By considering likelihood and impact, risks are mapped as follows:
ID Potential Risks
ARisk A
BRisk B
CRisk C
DRisk D
A
C
Assure Risk Mitigation is Effective
Enhance Risk Mitigation
Redeploy resources
Measure for Cumulative Impact
Lo
wH
igh
Imp
act
Me
diu
m
Likelihood
Medium HighLow
13
B
D
Inherent and residual risk assessment Flow of a residual risk assessment
14
Review the risk
Assess likelihood
Assess impact
Identify risk trend and speed of onset
(Optional)
Exposure acceptable,
cautionary or unacceptable?
Acceptable
Unacceptableor Cautionary
Improvement opportunity?Identify risk owner
Reviewroot cause(s)
Develop mitigationplans
Identify mitigation plan owner
Mitig
ation
Plan
SIGN OFF
Emerging Risk Management
Quote from Donald Rumsfeld, former US Sec of Defense
“there are known knowns – these are things we know that we know.
There are known unknowns – these are things that we know we don’t know
There are also unknown unknowns – there are things we don’t know we don’t know• Known knowns represent risks we have identified and are managing• Known unknowns represent emerging risks• Unknown unknowns represent risks out there we are yet to recognize
Why invest time in emerging risk management?
An organization needs to address emerging risks to protect its business and generate potential opportunities for the organization, depending on whether the risk is internal or external.
16
Emerging Risk Management – controlling the ticking time bomb
Emerging risks are those an organization has not yet recognized or those which are known to exist, but are not well understood.
Potential losses are particularly uncertain due to insufficiency of information or time to fully analyze the emerging situation
Usually have a characteristic of high impact / low likelihood
Black swan events – Events with low probability but has massive consequences. These are dismissed as improbably beforehand then rationalized after they occurred
Existing risk management is reactive, based on historical information and has a shorter term horizon. Emerging risks management lacks precedent or history and is more qualitative and requires “out of the box” thinking
17
Characteristics of emerging risks
• High level of uncertainty
• Lack of consensus
• Uncertain relevance
• Difficult to communicate
• Difficult to assign ownership
• Systemic or “business practice” issues
20
Emerging RisksBest Practices
• Conduct emerging risk reviews and brainstorming workshops (cross functional)
• Consider performing reverse stress testing (what could cause a business to fail and understand the risks / events that could lead to this)
i.e. energy plant melt down
• Integrate emerging risk review into the strategic planning process and adjust assumptions to take account of risks that impact longer term goals
• Challenge conventional thought processes and expectations (Champion & challenger approach)
21
Emerging RisksBest Practices
• Understand the uncertainties inherent in your strategy• Use robust scenario planning to evaluate managements view of the
future• Watch out for risks embedded in the organizations culture• Make sure that someone owns the most critical emerging risks• Perform a look back analysis on new risks that emerged during the past
12 months and how they could have been mitigated• Understand that many risks are interconnected and that risk
management is dynamic and interactive• Refresh the above process at least annually and consider trending of
risks
22
EXAMPLES OF EMERGING RISK INDICATORS
RISK INDICATORS
Future shortage of skills and talent Shifting demographics, falling national educational attainment levels, restrictive immigration policies
Lack of business resilience Breadth and diversity of supply chain and/or distribution channels, open internal communications channels
Market disruption through technological innovation
Lack of technological agility, dependency on legacy systems for core processes, vendor lock-in on key systems
Political instability impacting on market Deteriorating public trust in politicians or business-government relations, rising popularity of extremist parties
Environmental disaster Increasing incidence of extreme weather events, underlying trends in temperature and rainfall, loss of biodiversity
Sudden market realignment Trends in demographics and longevity, new migration patterns, rapid development of emerging markets
Challenging economic environment Growing trade protectionism, asset price collapse, over concentration on single industry sector
Cyber attack Increase in hacking and other suspicious online activity
Reputational damage Negative industry coverage in media, negative sentiment on social media
Emerging RisksKey questions for the audit committee to consider
1. Is management monitoring changes in the business environment to identify risks inherent in the corporate strategy?
2. Are changes made to the strategy in a timely manner?
3. Does management evaluate who may take unreasonable risk in the organization
4. Are there lines of business generating unusual returns that no one outside of the unit understands?
5. Does management evaluate whether the incentive compensation structure can lead to unacceptable risk taking
6. Is there a process for identifying extreme “black swan” events
7. If there a well defined crisis management plan in place to deal with unexpected events that could damage the reputation
24
25
Effective risk management is dependent on:– Strong risk culture– Continuous “tone at the top” messaging and strong risk awareness– Adequate and customized training and education– Embedding the Risk Management Framework into governance and
management practices
An effective Framework increases the Audit Committee’s confidence:– That all significant business risks are being proactively managed– That potential emerging risks are being monitored – That the business has the ability to realize its strategy and capitalize
on opportunities
Closing Remarks
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.
Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte's approximately 195,000 professionals are committed to becoming the standard of excellence.
This publication is for internal distribution and use only among personnel of Deloitte Touche Tohmatsu Limited, its member firms, and their related entities (collectively, the “Deloitte Network“). None of the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this publication.
© 2015 Deloitte Caribbean and Bermuda Limited and its affiliates