Enterprise Risk Management - The Canadian Chamber of...

Enterprise Risk ManagementA Practical Approach

2 © SGV & Co. 2011 All rights reserved. Confidential and proprietary.

► Corporate Governance

► What is Enterprise Risk Management

► ERM Process

► Integrating ERM into the Business

Agenda


Corporate Governance Framework

Corporate governance is the system, including objectives, rules and procedures, by which business corporations are directed and controlled.

or simply…

It is about doing the right thingsfor the shareholdersand stakeholders in a business.


► Oversee the risk management infrastructure

► Review the entity’s risk appetite

► Review the risk profile and the portfolio of risks

► Be aware of the risk mitigation strategies and evaluate their effectiveness

► Oversee the monitoring process for risk management

The Role of the BoardIn the Context of Corporate Governance and Risk Management




► ERM Process


Agenda

Enterprise Risk Management (ERM)


What is Enterprise Risk Management?

Risk Management: Coordinated activities to direct and control an organization with regard to risk. - ISO 31000

Enterprise Risk Management (ERM) is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the

enterprise, designed to identify potential events that may affect the entity and manage risks to be within its risk appetite, to provide

reasonable assurance regarding the achievement of entity objectives.

- Committee of Sponsoring Organizations of the Treadway Commission (COSO)


ERM Helps Address These Issues . . .

AccountabilityWho is on top of

these exposures?

BalanceAre we managing

the right risks?Effectiveness

Are the effectiveness of the mitigation strategies monitored for effectiveness?

CoordinationAre the efforts well-

coordinated to ensure we don’t manage risks in silo?

ComplianceAre the policies and

processes established to manage risks being

complied with?

CompletenessAre we proactively

identifying and managing our key

exposures?




► ERM Process

Agenda


The Enterprise Risk Management ProcessA Practical Approach

ASSESS

1. Assess Risk Management Framework

2. Identify and Prioritize

Risks

3. Source and Measure

Risks

IMPROVE

4. Develop Risk Management

Strategies

5. Assess Risk Management Capabilities

6. Develop Risk Management Action

Plans

MONITOR

7. Monitor Risk Management

Process

8. ReviewResults of Monitoring

9. Improve the Risk Management

Process

Communicate and Consult


Key Activities:► Assess the current state of the

Company’s Risk Management framework: ERM goals and objectives, risk management oversight structure, and policies


Outputs:► Summary of focus areas for

improvement of the Risk Management framework

► Risk management policy

ASSESS



Risks


Risks

IMPROVE


Strategies


6. Develop Risk Management Action Plans

MONITOR

7. Develop Risk Monitoring Process

8. DevelopRisk

Reports

9. Define theRole of Internal Audit in ERM

ASSESS



Risks


Risks

IMPROVE


Strategies



MONITOR


8. DevelopRisk

Reports


BOARD OF DIRECTORS

CEO

Risk Management Executive Committee

Internal Audit

CRO CFO CIO, CLOCOO

Business risk management function

Business Unit C

Business Unit B

Business Unit A Division A

Function support

and shared

services

Division B

Division B

Audit Committee


Components of the Risk ManagementFramework

§ Executive sponsorship§ Risk management

organization § Ownership and

accountability§ Supervision and oversight

Governance & Organization

Risk Management Strategy

Reporting & Communication

§ Alignment to business objectives

§ Risk tolerance and appetite

§ Policies and procedures§ Risk language/

categorization

§ Message/Audience/ Channel

§ Reporting (External/Internal)

§ Escalation Procedures§ Stakeholder Dialogue

§ Data Repositories§ Workflow Support Tools§ Early-Warning Systems§ Analytical and Modeling Tools

Tools & Technology Culture & Capability

§ Skills Identification§ Training§ Measurement and Reward§ Behavior (Integrity/Ethics)


Independent Validation Functions

Sample Risk Management Oversight Structure

Other Executives Directly Responsible for Managing Risks

-- Manage and Report “Manage Risk at the Source”

(cross-functional/enterprise-wide)

RMEC provides oversight and input to CEO and Board to make better informed decisions

RMU supports CRO and facilitates, supports and integrates the process

Comprehensive risk executive

Oversight role

Risk Management Compliance Internal Audit

CFO CIO, CLOCOO

Business Unit C

Business Unit B


Function support

and shared

services

Division B

Division B

Audit/Risk Committee

CEO

Risk Management Executive Committee

Risk Management Compliance

Internal Audit

Chief RiskOfficer

Business risk management function

Business Unit C

Business Unit B


Function support

and shared

services

Division B

Division B

Board of Directors


Outputs:► Risk Universe► Risk Map

Key Activities:► Identify and categorize risks► Prioritize risks as to Severity of Impact and

Likelihood► Assign risk owners/risk owner groups

2. Identify and Prioritize Risks

ASSESS



Risks


Risks

IMPROVE


Strategies



MONITOR


8. DevelopRisk

Reports


ASSESS



Risks


Risks

IMPROVE


Strategies



MONITOR


8. DevelopRisk

Reports


CriticalHighModerateLowMinimal

54321

1≤ $-Minimal

2≤ $-Low

3≤ $-Moderate

4≤ $-High

5> $-Critical

Sev

erity

of I

mpa

ct

Financial Impact Measured in Operating Earnings (OE) on an

annualized basis

12

4 37

6

9

8

5

10

Opportunity forRM Improvement


54321

1≤ $-Minimal

2≤ $-Low

3≤ $-Moderate

4≤ $-High

5> $-Critical

Sev

erity

of I

mpa

ct


annualized basis

12

4 37

6

9

8

5

10

Opportunity forRM Improvement


“A business risk is a threat that an event or action will adversely affect the Company’s ability and to achieve its

business objectives to maximize stakeholder value.”

or

“What keeps the Board and Management awake at night?”

Risk Management Context


COMPANY’S GOALS, OBJECTIVES

AND STRATEGY

EXTERNALEXTERNAL

WHAT WILLNOT ALLOW

THE COMPANY TO SUCCEED?

WHAT WILLNOT ALLOW

THE COMPANY TO SUCCEED?

BUSINESS RISKS INTERNALINTERNAL

Attributes of Business Risks► Could be existing ► Could be emerging (has a

potential of happening)► Presents an exposure to both

tangible and intangible assets► Can arise from the external

environment, from internal processes and from the lack of information for decision making

► Presents an exposure(downside) if not managed or a potential opportunity (upside) if managed well

How can we use these to our advantage?

Linking Risk to Business Strategy


EY Risk UniverseStrategicStrategic OperationsOperations OperationsOperations ComplianceCompliance

Governance: § Board Performance§ Tone at The Top § Control Environment § Corporate Social Responsibility

Planning and Resource Allocation:§ Organizational Structure§ Strategic Planning§ Annual Budgeting§ Forecasting§ JV’s /Alliances and Partnerships § Special Purpose Entities§ Technology Enablement§ Tax Planning

Major Initiatives:§ Vision and Direction§ Planning and Execution§ Measurement & Monitoring§ Technology Implementations§ Business Acceptance

Mergers, Acquisition & Divesture:§ Valuation and Pricing§ Due Diligence§ Execution and Integration§ Emergence of Private Equity Firms as Buyers

Market Dynamics: § Competition§ Macro-Economic Factors§ Lifestyle Trends§ Socio-Political§ Brand Dilution§ Globalization of Brands§ Private Label

Communication & Investor Relations:§ Media Relations § Crisis Communications § Employee Communication

Sales & Marketing:§ Marketing§ Advertising§ Research & Development§ Sales & Pricing§ Customer Support/Management§ Retailer Relationships§ Innovation§ Trend Optimization§ Channel Stuffing/Brand Mortgaging§ Effectiveness of trade spending§ Predatory Pricing§ Maintaining Brand Value/Minimizing Private

Label Encroachmen

Supply Chain:§ Master Planning & Forecasting§ Inventory§ Procurement§ Production§ Distribution§ Transportation & Logistics§ Cost Control§ After Sales Support/Customer Support§ Diversification of Manufacturing§ Increasing Use of Third Party Manufacturing§ Raw Material/Inputs Pricings§ Transfer pricing

People/Human Resources: § Culture§ Recruiting & Retention § Development & Performance § Succession Planning § Compensation & Benefits § Labor Relations

Hazards:§ Natural Events§ Terrors & Malicious Acts§ Business Continuity Planning

Code of Conduct :§ Ethics§ Fraud

Legal: § Contract § Liability§ Intellectual Property § Anti-Corruption§ Global Counterfeiting§ Warranty§ Increased regulatory pressure on

products/ingredients

Regulatory: § Trade § Customs§ Labor § Securities§ Environment

Market:§ Interest Rate§ Foreign Currency§ Commodity§ Derivatives

Liquidity and Credit:§ Cash Management§ Funding§ Hedging§ Credit and Collections§ Insurance

Accounting and Reporting: § Accounting, Reporting and

Disclosure§ Internal Control

Capital Structure: § Debt§ Equity§ Pension Funds§ Stock Options

ComplianceCompliance

Information Technology: § IT Management§ Information Protection§ IT Availability/Continuity§ Decision Support§ IT Architecture§ IT Outsourcing

Physical Assets: § Real Estate§ Property, Plant & Equipment§ Inventory

Tax Operations: § Tax Department Operations§ Tax Technology and Knowledge

Management

FinancialFinancial

Regulatory: § Data Protection and Privacy§ International Dealings§ Product Quality/Safety§ Health & Safety§ Competitive Practices/

Anti-Trade§ Tax Compliance and Tax Authority

Examination Management§ Sales and Marketing


Risk Self-Assessment (RSA)Our RSA Approach

Business Business Unit 1Unit 1





Risk Self-Assessment

Survey

Strategic Risks

Step 3

-

Executive Validation Interviews

Consolidated

Risk Profile

Step 2

Business Unit (BU) Level Risks

Business Unit (BU) Level Risks

Strategic RisksStrategic Risks

Step 1

RSA Workshop

Step 3

BU1 BU2 BU3 BU4


Risk Profile – Sample Output


54321

1≤ $-Minimal

2≤ $-Low

3≤ $-Moderate

4≤ $-High

5> $-Critical

Seve

rity

of Im

pact


annualized basis

12

4 37

6

9

8

5

10

Likelihood

Rank Tier 1 Risks

1 Regulatory compliance

2 Technology Implementation

3 Price volatility

4 Capital/funding

5 Product chain

6 Pipeline shrinkage

7 Socio-Political

8 Terror & malicious acts

9 Corporate social responsibility

10 Natural events


ORMI Map – Sample Output


54321

1≤ $-Minimal

2≤ $-Low

3≤ $-Moderate

4≤ $-High

5> $-Critical

Leve

l of

Ris

k


annualized basis

12

4

3

7

69

8

5

10

Opportunities for RMI

Rank Tier 1 Risks

1 Regulatory compliance

2 Technology Implementation

3 Price volatility

4 Capital/funding

5 Product chain

6 Pipeline shrinkage

7 Socio-Political

8 Terror & malicious acts

9 Corporate social responsibility

10 Natural events


Monitor ►Areas of high inherent risk where controls are deemed adequate by management may require monitoring.

Improve ►High inherent exposure with a low level of control must be a key priority for risk management strategy development and controls improvement.

Accept ►Risks with low inherent exposure that also have a low level of control may be consciously accepted by the organization.

Optimize►Areas of low inherent exposure with a high level of control may generate opportunities to optimize the process and control for efficiency.

The output of an effective Risk Self-Assessment provides insight that is ACTIONABLE.

Risk Management Effectiveness MapA Way to Focus on Action, Not Analysis

Minimal

Minimal CriticalOpportunity for RM Improvement

AcceptAccept

The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.

ImproveImprove

OptimizeOptimize


MonitorMonitor

Optimize


Monitor

Accept


Improve

Leve

l of R

isk

Critical


The top 10 risks for organizations(ranking from 2010 in brackets)

1. Regulation and compliance (1)2. Cost cutting (6)3. Managing talent (4)4. Pricing pressure (15)5. Emerging technologies (13)6. Market risks (New)7. Expansions of government’s role

(New)8. Slow recovery or double-dip

recession (3)9. Social acceptance risk/corporate

social responsibility(CSR) (9)10.Access to credit (2)

Predicted risk level in 2013 –Key to symbols More Same Less


The top 10 opportunities for organizations

1. Improving execution of strategy across business functions

2. Investing in process, tools and training to achieve greater productivity

3. Investing in IT4. Innovating in products, services

and operations5. Emerging market demand growth6. Investing in cleantech7. Excellence in investor relations8. New marketing channels9. Mergers and acquisitions10. Public-private partnership

Predicted opportunity level in 2013 – Key to symbols More Same Less

Top 10 global business opportunitiesCustomer

reachOperational

agilityCost

competitivenessStakeholderconfidence


3. Source and Measure Risks

Outputs:► Risk Driver Analysis ► Risk Measurements

Key Activities:► Source business risk► Measure business risk

R EGU LATO RYRISK

EXTERNAL

INFLUENCES

INTERNAL

INFLUENCES

LEGISLATION

COMPETITOR ACTIO NS

COMPLEX REGULATORY

ENVIROMENT OF INDUSTRY

INVESTMENT NEEDED TO COMPLY W ITH REGULATORY REQUIRMENTS

INVESTMENTS IN DIFFERENT COUNTRIES

RAPPORT W ITH

REGULATORSEXPOSURE TO M ULTIPLE

REGULATORY AGENCIES

STAFF KNOW LEDG E

AND MOTIVATION

CHANGES IN THE REGULATORY OFFICE

PROCESS FOR MO NITO RING COMPLIANCE

INCREASING PUBLIC

ENVIROMENTAL CONCERN

MO

ASSESS



Risks


Risks

IMPROVE


Strategies



MONITOR


8. DevelopRisk

Reports


ASSESS



Risks


Risks

IMPROVE


Strategies



MONITOR


8. DevelopRisk

Reports



4. Develop Risk Management Strategies

Key Activities:► Develop risk management strategies ► Validate risk management strategies cross-

functionally

Outputs:► Risk Management Strategies

RISK MANAGEMENT STRATEGYAccept Compliance Risk as an inherent aspect of the business and industry; but Reducethe risk of occurrence by establishing controls that ensure 100% compliance Influence regulations to the extent possible and permissible.

RISK DRIVER RISK MANAGEMENT STRATEGIES

1. Inability to determine the status of the Company’s compliance with all regulatory, contractual, financial and other requirements at any single point in time.

•Establish a monitoring process in each functional area responsible for compliance with regulatory, contractual, financial and other requirements.

•Establish policies, procedures and reports for the regular and periodic reporting to management of the status of the Company’s compliance in each functional area.

2. Regulatory requirements that are complicated and costly to comply with

•Work to influence regulation through active participation and cooperation in industry activities including study groups for new/upcoming regulations, educational campaign, and other venuesto share industry information, ideas and insights

•Ensure active participation in industry groups that promote the Company’s interests

COMPLIANCE RISK. Inability to adapt and comply with the various business requirements and regulations (industry standards, financial reporting, regulatory, and technical quality) resulting in sanctions from various regulatory agencies.

AVOID• Divest• Prohibit• Stop

• Target • Screen• Eliminate

AVOID• Divest• Prohibit• Stop

• Target • Screen• Eliminate

RETAIN• Accept• Reprice• Self insure

• Offset • Plan

RETAIN• Accept• Reprice• Self insure

• Offset • Plan

REDUCE• Disperse • Control

REDUCE• Disperse • Control

TRANSFER• Insure• Reinsure• Hedge• Indemnity

• Securitize • Share• Outsource

TRANSFER• Insure• Reinsure• Hedge• Indemnity

• Securitize • Share• Outsource

EXPLOIT• Allocate• Diversity• Expand• Create• Redesign

• Reorganize • Price• Arbitrage• Renegotiate• Influence

EXPLOIT• Allocate• Diversity• Expand• Create• Redesign

• Reorganize • Price• Arbitrage• Renegotiate• Influence

ASSESS



Risks


Risks

IMPROVE


Strategies



MONITOR


8. DevelopRisk

Reports


ASSESS



Risks


Risks

IMPROVE


Strategies



MONITOR


8. DevelopRisk

Reports



5. – 6. Assess Risk Management Capabilities, and Develop Risk Management Action Plans

Key Activities:► Assess current and desired future state of risk

management capabilities► Develop risk management action plans to close

gaps

Outputs:► Risk Management Capabilities Assessment► Risk Management Action Plans

ManagementReports

People Systems and DataMethodologiesProcessesPolicies

• Development of an

ManagementReports

People Systems and DataMethodologiesProcessesPolicies

• Development of an

Organization focused on continuous improvement of business risk management

Optimizing

Capabilities are characteristic ofindividuals, not of the organization

Initial

Processestablished and repeating; reliance on people is reduced

Repeatable

Policies, processes and standards defined and formalized across the company

Defined

Risks measured and managed quantitatively and aggregated on an enterprise-wide basis

Managed

Risk Management Capabilities AssessmentRisk Management Capabilities AssessmentRisk Management Capabilities AssessmentRisk Management Capabilities Assessment

ASSESS



Risks


Risks

IMPROVE


Strategies



MONITOR


8. DevelopRisk

Reports


ASSESS



Risks


Risks

IMPROVE


Strategies



MONITOR


8. DevelopRisk

Reports



7. - 9. Monitor Activities

Key Activities:► Design risk reporting process and risk reports► Define role of Internal Audit in monitoring the

effectiveness of the risk management process

Outputs:► Risk monitoring process ► Risk reports

Encodes PRPurchase Order

(PO)1

2

3

4

PR1

2

PURCHASING STAFF

ApprovesPO

GENER AL MAN AGER/PRESIDENT

Approved PO1

2

3

4

PR1

PURCHASING STAFF

Approved PO

1

2

3

4

PR1

file

To Accounting

To Distribution

To Stockroom

Distributes PO to user depts.Sends PO. Confirms receipt.

A. The General Manager approves POs with value of P50,000 and less, while thePresident approves PO above P50,000.

1

2

Approved PR1

Updates PO transaction file

PO Transaction

File

Generates PO

Attaches PR to POSends PR toRequesting

Dept.

1

Purchase Order(PO)

1

2

3

4

PURCHASING STAFF

To Requesting Department

A

B

C

D

Encodes PRPurchase Order

(PO)1

2

3

4

PR1

2

PURCHASING STAFF

ApprovesPO

GENER AL MAN AGER/PRESIDENT

Approved PO1

2

3

4

PR1

PURCHASING STAFF

Approved PO

1

2

3

4

PR1

file

To Accounting

To Distribution

To Stockroom

Distributes PO to user depts.Sends PO. Confirms receipt.

A. The General Manager approves POs with value of P50,000 and less, while thePresident approves PO above P50,000.

1

2

Approved PR1

Updates PO transaction file

PO Transaction

File

Generates PO

Attaches PR to POSends PR toRequesting

Dept.

1

Purchase Order(PO)

1

2

3

4

PURCHASING STAFF

To Requesting Department

A

B

C

D

ASSESS



Risks


Risks

IMPROVE


Strategies



MONITOR


8. DevelopRisk

Reports


ASSESS



Risks


Risks

IMPROVE


Strategies



MONITOR


8. DevelopRisk

Reports



Key Success Factors to ERM

► Executive Leadership and Support

► Effective Change Enablement and Communication Process

► Project Management and Infrastructure Support

► Access to Tools and Resources

► Periodic Monitoring and Performance Measurement


ASSESS



Risks


Risks

IMPROVE


Strategies



MONITOR


Process



Process


The ERM ProcessAnd the ISO 31000 Risk Management Framework for Managing Risk


ASSESS



Risks


Risks

IMPROVE


Strategies



MONITOR


Process



Process


The ERM ProcessAnd the ISO 31000 Risk Management Process for Managing Risk




► ERM Process


Agenda


Integrating ERM into the Business

Strategic Plan and Financial Target Development

Strategy andValue Drivers

Long Range Strategic Plan

Strategic Risk Assessment

Strategic Initiatives & Financial Targets

Business Planning, Budget and Forecast Process

Business Level

Objectives

Detailed Planning

Analysis For Business

Plan

Business Level Risk

Assessment

BusinessLevel Budget,

Forecast & Operating

Plan

Quarterly Business Performance Review Process

Quarterly Revenue & Earnings

Quarterly ReviewAgainst

BusinessPlan

Quarterly Risk

Assessment Review

Business Level

Performance Measurement

Ongoing Risk & Control Monitoring and Support

InternalAudit

Regulatory & Compliance

InternalControl

Other Risk & ControlGroups

1

2

3

4

Strategic Risk

Assessment

Business Level Risk

Assessment

Quarterly Risk

Assessment Review

Creates enterprise-level risk profile aligned to strategy and business objectives

Provides basis for structured consideration of risk relative to business plan process

Routinely challenges the impact of key risks on budget, plan, forecast and performance

Provides key risk and control groups with routine updates on emerging risk issues

Thank you.

Enterprise Risk Management - The Canadian Chamber of...

Documents

Transcript of Enterprise Risk Management - The Canadian Chamber of...