420 likes | 567 Vues
Developments Advanced in Risk Analysis and Risk Management. Lori Brown, Seton Hall University Robert Roach, New York University Jean Demchak, Marsh.
E N D
Developments Advanced in Risk Analysis and Risk Management Lori Brown, Seton Hall University Robert Roach, New York University Jean Demchak, Marsh
Program Speakers:Lori BrownDirector of Compliance & Risk ManagementSeton Hall UniversitySouth Orange, NJJean DemchakManaging DirectorGlobal Education LeaderMarsh, Inc.New York, NYRobert F. RoachChief Compliance OfficerNew York UniversityNew York, NY
“It wasn’t the risk we knew about that concerned us, but the risks we were unaware of that worried us the most”Chris McAlary, VP Finance, Mount St Mary’s College
Trends in risk management and impact of ERM on credit ratings. Developing an Institutional ERM program. Practical Risk Management tools for Compliance and ERM programs Program Overview
All organizations face internal and external factors that make it uncertain whether and when they will meet their objectives. The effect of this uncertainty on achieving objectives is called risk. Risk: Upside and Downside
Risk Management principles can be applied to any type of risk, whatever its nature, whether having positive or negative consequences. Compliance Programs: Use Risk Management principles to help identify, assess, evaluate, and treat ethical and regulatory risks. Enterprise Risk Management (ERM): Is a coordinated program applied throughout the life of an organization and to a wide range of activities, including strategies and decisions, operations, processes, functions, projects, and services. Risk Management in Application
Organizational Context: What are your organization’s objectives, structure and operations? Risk Identification: What are the possible risk events your organization faces? Risk Assessment: What is the likelihood of the risk event happening? What is the potential impact of the risk event? Risk Evaluation: Having assessed the risks: What is your organizations “appetite” for risk? what are the most important risks to address? Risk Treatment: What steps must be taken to mitigate the risks Identified? Monitoring, Review and Corrective Action, Are internal controls working effectively to mitigate risk? Is there any corrective action needed? Communication: Throughout the Organization Risk Assessment and Management Process
Simple Risk Assessment Diagram Identified Risks Conflicts of Interest Medicare/Medicaid Billing Time and Effort Reporting Tax Exempt Bonds Executive Compensation Record Retention Export Controls EEO/AA Laws
Having assessed the risks: What are the most important risks to address? What is your organizations “appetite” for risk? Risk Evaluation
Risk Response Avoidance Reduction/Mitigation (Internal Controls) Sharing (e.g. Insurance) Acceptance Crisis Management Plans Business Continuity Plans Other Operational Plans
Control Activities Organizational/Process Controls E.g. Separation of Duties Documentation Written Policies and Procedures Essential Training Audit Trails Final Results should be traceable back to originating transactions Security and Integrity Access Controls
Strategic Risk Management: Expectations and OpportunitiesAreas where senior management’s expectations of risk management have grown Integrate with operations Execute day-to-day RM activities efficiently Improve quantification/analysis Understanding of non-insurable risks Increase involvement in strategic planning Lead ERM activities Work with lower headcount Serve on RM committee Increase use of technology Risk Manager C-Suite Finance Understanding of RM ROI 25% 50% Source: Excellence in Risk Management VIII
Strategic Risk Management: Expectations and Opportunities Key performance indicators (KPIs) Manage RM value through TCOR Competitive procurement of risk transfer Financial measures for retained/insured exposures Insurance budget management Mitigate liabilities/support preparedness Align RM objectives with company risk tolerance Primary KPIs Secondary KPIs Tertiary KPIs RM alignment with company goals Build strategic risk awareness across organization Deliver successful claim results Compliance Source: Excellence in Risk Management VIII
Strategic Risk Management: Expectations and Opportunities Effectiveness of risk committees How effective are cross-functional risk committees? How could your firm’s cross-functional risk committee become more effective? Consider risks more strategically Disseminate information more widely Increase visibility of senior management support Use a wider rangeof analytics Very effective Somewhat effective Not effective Engage senior management to communicate support Source: Excellence in Risk Management VIII
Strategic Risk Management:Expectations and Opportunities Primary focus areas for developing RM capabilities Strengthen ERM Training/education Technology upgrades Current employees Restructure insurance programs 2011 2010 2009 Source: Excellence in Risk Management VIII
Strategic Risk Management: Expectations and Opportunities Barriers to senior management’s understanding of the risk landscape Siloed approaches to RM Lack of awareness of ERM concepts Organizational structure Inadequate RM representation at Board/C-suite level Lack of relevant risk data Inadequate link to strategies Demonstrating value of ERM Source: Excellence in Risk Management VIII
Strategic Risk Management: Expectations and Opportunities Top Ten Risks * Percent of respondents with management plan in place or recent review undertaken of the risk Source: Excellence in Risk Management VIII
Definition of Enterprise Risk Management (ERM) A structured, consistent, and continuous risk management process applied across the entire organization that brings value by: • Proactively identifying, assessing, and prioritizing material risks • Developing and deploying effective mitigation strategies • Aligning with strategic objectives and administrative processes • Embedding key components into the organization’s culture: • Risk ownership, governance, and oversight • Reporting and communications • Leveraging technology and tools • S&P incorporating ERM reference into industry credit rating reports
ERM Compliance Factors: Commentary Compliance and ethics oversight has traditionally been the responsibility of an institution’s legal department Risk management procedures of institutions are under increasing regulatory and private scrutiny There has been a shift from a defensive function focused on policies, procedures and expenditures, to a strategic function focused on optimizing resource allocation and effectiveness Recent mandates and guidelines are fueling the momentum
ERM Compliance Factors: Current and Emerging Standards and Guidelines GUIDELINES & BEST PRACTICES: Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) ERM Framework Standard & Poor's (S&P) ERM Ratings Criteria for Non-Financial Organizations ISO31000 EMERGING REGULATIONS & GUIDELINES: Accreditation requirements?
ERM Guidelines and Best Practices:Overview of S&P’s ERM Ratings Criteria • Organizational structure • Risk management staff roles and accountability • Risk communication (internal and external) • Risk identification, measurement and monitoring • Risk limit application and enforcement • Risk control processes—policies, infrastructure, methodology (PIM) • Sector and firm-specific risk control criteria • Environmental scanning, trending, stress testing, contingency planning and other pre-loss practices • Expectation planning for negative events pre and post-loss performance • Utilization of risk management and return on risk in strategic decision making • Risk consideration within capital budgeting and allocation, performance measurement and other administrative practices Culture Risk Controls Emerging Risk Preparation Strategic Risk Management
ERM Guidelines and Best Practices: ISO 31000 6.2 Communication & Consultation 6.3 Establishing the context 6.6 Monitoring & Review • ISO 31000 Risk Management Standard follows the Australian / New Zealand Standard • Released in late 2009 • No current certification standard, but it may follow 6.4 Risk Assessment 6.4.2. Risk Identification 6.4.3. Risk analysis 6.4.4 Risk evaluation 6.5 Risk treatment Source: International Organization for Standardization
ERM Compliance Factors: Common Elements of ERM Frameworks They outline a process for ERM implementation that includes: Risk identification and assessment Risk prioritization Risk solution design and implementation Routine monitoring and reporting Communication They recognize that good risk management must be embedded into the organization’s day to day activities They consider both the ‘upside’ and ‘downside’ of risk They are not one size fits all
Building Senior-Level Support Elements of an ERM Value Proposition: Optimal capital deployment Continued or improved rating agency confidence Effective critical event response Better decision making relative to risks assumed Enhanced stewardship and governance
Risk Reports Board of Trustees President/Senior Leadership Internal audit Risk Management Committee Risk Reports Provost Finance/ Legal/ HR Ext Affairs Select Deans Risk Mgr College A College B College C Dept A Dept B Dept C RM Compliance Audit ? ERM functional representation, risk management activity support and shared services Risk information and root data, issues management Developing the Team/Structure
Critical success factors Establish the right vision and realistic plan Obtain senior leadership buy-in and direction Align with mission and strategic objectives Attack silos at the onset Set objectives / performance / early warning indicators Stay focused on results Communicate vision and key outcomes Develop a sustainable process vs. a one-time a project Understanding Where You Want to Go…
…Then Making It Happen 1 2 3 Envision the Future State Implement ERM Assess the Current State • Implement Risk Solutions • ERM Integration with: • Routine Processes • Strategic Plan • Organizational Culture • Risk Identification, Assessment & Prioritization • Risk Mitigation & Controls • Risk Management Infrastructure • Governance & Accountability • Reporting • Strategy • Policies, Processes & Procedures • Technology & Systems • Culture
Keep in Mind ERM is a Journey - Not a Destination HIGH • Value Creation & Risk Optimization • Embed risk management into strategic planning • Monitor risks with early warning risk indicators • Link risks to stakeholder value • Drive sustainable performance • Risk Management • Integration • Implement a fully integrated ERM structure based on a framework • Monitor & report on risks through the enterprise • Coordinate ERM activities Link to Strategy and Stakeholder Value • EnterpriseRisk • Awareness • Adopt an ERM framework • Assign executive ownership of risk management • Conduct routine risk assessments • Risk Specialization • Isolated and independent risk management activities, • Limited focus on the linkage between enterprise-wide risks and strategies LOW Risk-Reward Optimization Core ERM Practices Insurance & Compliance Risk Management Philosophy
Sample Risk Map Key risks High • Intellectual Property • Greek Life • Pension Funding • Succession Planning • Student Safety • Economy • Alumni Relations • Faculty Retention • Tuition Rate • Athletics • Research Compliance • Community Relations • Information Technology • Delivery Channel • Demographics • Operating Model • Research Grants • Endowment Performance • Privacy 3 - Illustration - 1 4 2 5 14 6 9 7 8 15 13 11 12 17 10 Medium Likelihood 19 16 18 Low Very Low Low Moderate Major Catastrophic Impact Tier one risks Tier two risks Tier three risks
Risk Identification • Initial interview with Risk Owner • What issues/areas of concern that keep them up at night? • What is the probability of occurrence, when taking into account controls already in place? • Risk owner impression of impact level. • Create a basic risk register. Focus on high probability and high impact risks.
Arthur Anderson LLP v. United States US Supreme Court recognized the legitimacy of managing and systematically disposing of records in accordance pursuant to a records retention policy The Supreme Court held: “Document retention policies,’ which are created in part to keep certain information from getting into the hands of others, including the Government, are common in business. It is, of course, not wrongful for a manager to instruct his employees to comply with a valid document retention policy under ordinary circumstances.”**544 U.S. 696, 704 (2005)
Communication Each risk owner creates a project plan, including timelines for mitigating that risk. The risk owner provides semi-annual progress updates on risk mitigation projects. This information is provided to the Audit Committee of the Board of Trustees.