FRT - 110530 - BED - Why are some companies luckier than others - Frank Leenders

Transforming risk to create strategic valueFlevum Roundtable, May 2011

Why are some companies luckier than others?

Frank LeendersSenior Manager Advisory Services

Ernst & Young Advisory - Risk ServicesSolution Manager GRC BeNe

Transforming risk to create strategic value| 1© 2011 EYGM LimitedAll Rights Reserved

Competing in the “new normal”

Increasing market variation

Pressure on margins

Globalization and increasing competition Changing

business models

Enhancing transparency

Improving investor confidence Managing stakeholder

expectations

Improving shareholder value

Securing requisite capital

Increasing regulatory pressure

Greater market volatility

Greater stakeholder scrutiny

Increasing executive accountability

Addressing the risks that matter

Avoiding risk/security breaches

Three focus areas: Value, cost and risk


Observations on risk management Risk management survey results

„ Fundamental need to enhance the GRC functions of the company

„ Companies recognize increasing external pressure on their GRC functions and experience that shareholders as well as investors keep an eye on companies’ GRC efforts.

„ There is a difference between leadership and operational levels in evaluating the value for money of the GRC functions.

„ In the light of increasing GRC needs and necessary improvements, 41% of the companies plan GRC investments:

„ Assessing GRC function, revising risk management and intensifying the internal audit efforts are the top three GRC initiatives in the upcoming 12 to 18 months.

„ A clear view on the “what” and “why,” but a lot of uncertainty about the “how”:„ The main investment focus is on risk management because GRC seems to be

synonymous with companies’ risk management function. „ Almost three out of four companies believe that they already have a fully integrated

GRC function, which might not be the case when just 5% of the companies say that they have their GRC implementation completed when asked for more details.

„ Finally, three out of four companies believe that their GRC needs are aligned between the corporate and business unit levels but there are concerns due to the different reporting lines of GRC functions.


Observations on risk management What we are seeing with our clients

Companies are … Risk management remains a concern

Gaps — CEO’s and CFO’s indicate their risk oversight processes are immature and insufficient to deal with the rapid change in risks in the near futureScrutiny — Boards and executives face greater scrutiny for risk management oversight from regulators and external stakeholdersValue — 82% of institutional investors are willing to pay a premium for companies that are transparent and can demonstrate effective risk managementSilos — 73% of companies have seven or more separate risk functions operating independentlyEfficiency — 62% of companies believe they can get more risk coverage for less spend through better aligned and coordinated efforts

Overspending on risk by at least 30%

„ Hidden costs in risk spend

„ Inefficient activities

„ Overlap and redundancy

Not focused on the risks that matter and create value

„ Capital structure and strategic

„ New market entry and product development

„ Merger and acquisition

Failing to anticipate and respond to unforeseen risks

„ Risk not integrated with planning and performance management

„ Risk exposure in major initiatives and programs

„ Lack of alignment and communication at all levels of the enterprise


Cost

Risk Value

Cost

RiskValue

Balancing risk, cost and valueManaging upside opportunity with the potential of downside threat

Value

„ What are the risks that matter most?„ How do we know we are accepting the right level of risk? „ How effective is our risk reporting for executive

management and the Board?„ How do we know if our risks are being properly

managed?„ How comprehensive is our existing risk framework?„ What is internal audit doing to understand the risks that

our company faces?

„ What are we spending to manage our key risks? „ Where are there possible duplicative or overlapping risk

functions? „ Where can we further leverage automated controls versus

manual controls? „ Do we have the right mix of skills at the right cost? „ How effective are we in using technology to manage risk?„ How effective are we in using alternative sourcing strategies

to reduce costs?

„ How effective are we at aligning the risks we take to our business strategies and objectives?

„ What is the return on our risk investment? „ What process improvement ideas are we obtaining?„ What risks are we taking to achieve competitive

advantage? „ Is risk management slowing me down or helping me go

faster?

Risk

Cost


There are significant opportunities to improve the current state risk management landscape


Realignment and refocused effort can reduce the risk spend, increasing value

Board oversightAudit

committeeCompensation

committeeRisk

committeesOther

committee

Executive managementCEO CFO CRO General Counsel

Intern

al con

trol

Aligned mandate and scopeCoordinated infrastructure and people

Consistent methods and practicesCommon information and technology

Businessunit

Businessunit

Businessunit

Businessunit

Increased value, reduced costs and improved business performance

Future State

GovernanceEffective, responsive,

accountable risk oversight

Risk management

and integrated capabilities Reduce or eliminate

redundancy, overlap and

duplication in the

identification and

assessment, analysis,

control, measurement,

monitoring, mitigation,

testing

and reporting of risk

Business-level

PerformanceValued-

Added, improved

operational risk

performance


Leading practices are emerging

„ Changing attitudes: Risk is now everybody’s responsibility and plays a major role in decision-making across the organization

„ Comprehensive: Organizations are taking a more holistic risk view to better understand risk interdependencies and aggregate impacts

„ Proactive: Companies are becoming more forward-looking and predictive, incorporating stress-testing and scenario analysis

„ Risk tolerance: Leading organizations are defining risk tolerances and building a consistent organizational risk management culture

„ Transparency: Sharing of data, open decision-making and enhanced reporting to executive management has become increasingly important

„ Board communications: A majority of organizations indicate they are changing the frequency and substance of their Board-level risk discussions

„ Risk committees: Companies have added committees focused on enterprise risk and / or crisis management

„ Specialty Skills: Leading companies are enhancing their risk and control functions and leveraging specialty skills to address business risk on a comprehensive basis

„ Monitoring: Ongoing monitoring and the escalation of risk has become more robust with greater clarity or information and enhanced consistency across risk functions

„ Governance: Overall, leading organizations are driving “Risk Governance” from a holistic business perspective


Leading companies transform their risk landscape to achieve strategic advantage

Strengthening risk governance

Embedding risk management principles

Integrating multiple risk functions

Enhancing business level performance

by... to achieve...Improved visibility, accountability and

transparency to stakeholders

Cost efficienciesand businessperformance

Risk management that supports

strategic objectives

EY Risk Performance ModelEY Risk Performance Model

Governance


Agenda/session overviewRisk Transformation Workshop topics

1. Setting the stage 60 minutes

„ Marketplace challenges„ Strategic risk management issues„ Achieving strategic advantage„ <Company> strategies and initiatives

2. Understanding your risk philosophy 45 minutes

„ Exercise 1: Desired risk outcomes„ Exercise 2: Continuum„ Exercise 3: Risk vision statements

3. Risk performance model discussions 180 minutes

„ Overview/Prioritize four levels„ Drill-down discussions

„ Leading practices„ Current state observations„ Maturity assessment„ Improvement opportunities

4. Prioritization, roadmap and next steps 45 minutes

„ Validation/prioritization of proposed efforts„ Business case development„ Action plan/next steps

Phase 1 Phase 2 Phase 3 Phase 4

Business- level

performance

Integrated

capabilit ies

Risk

management

Governance

Assess GRC

process maturity

Adopt a common risk

framework

Refine and operationalize

governance

model

Identify gaps to

achieve future state

Validate GRC business

objectives

Demonstrate

technology

enablement

Pilot risk

integration

Define risk

appetite

Ide

nti

fy/D

iag

no

se

Understand

risk capabilities

Identify,

redundancies

and overlap

Document the rhythm of

the business

Embed risk capabilities

into the business

Measure and

monitor risk

performance

Roll-out risk

integration strategy

enterprise-wide

Improve on and

implement at the

business level

Leverage risk data

analytics/predictive modeling to

Improve decision making

Dia

gn

os

e/D

es

ign

De

sig

n/D

eliv

er

De

liv

er/

Su

sta

in

Internal

AuditRisk

Management

Businessunit

Businessunit

Businessunit

Businessunit

ComplianceInternal

Control

Informat ion

Technology

Legal and

Regulatory

External

Audit

Board/ senior management oversight

Audit

committee

Risk

committee

Other

committees

Siloed risk funct ions impede value, increase costsand reduce business level performance

EY Risk Performance Model

Governance


Defining a practical path forwardConduct a visioning session

FRT - 110530 - BED - Why are some companies luckier than others - Frank Leenders

Business

Transcript of FRT - 110530 - BED - Why are some companies luckier than others - Frank Leenders