1 / 29

Enterprise Risk Management

Enterprise Risk Management. Lecture 9. Why the Interest in ERM?. Performance bar is raised for Financial Executives Your company can optimize overall returns and minimize risks Leverage existing control processes to meet emerging risk governance demands

santa
Télécharger la présentation

Enterprise Risk Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Enterprise Risk Management Lecture 9

  2. Why the Interest in ERM? • Performance bar is raised for Financial Executives • Your company can optimize overall returns and minimize risks • Leverage existing control processes to meet emerging risk governance demands • Rating agencies are incorporating ERM evaluation to overall corporate rating • US Sentencing Guidelines offer consideration for effective risk management

  3. Evolution of ERM COSO Internal Control Framework • Operations • Compliance • Financial Reporting

  4. Evolution of ERM COSO Enterprise Risk Management • Strategy • Operations • Reporting • Compliance

  5. Average Annual Rate of Return Standard Deviation Defining ERM Portfolio View Possible Combinations of Risk and Return Unattainable Combinations Modified from www.monkeychimp.com

  6. Gross Risks Silo Risk Net Risks Response and Control Silo Risk Silo Risk Defining ERM Key Concepts • Common Language • Common Measurement • Gross / Inherent Risk • Response/Control/Mitigation • Net / Residual Risk

  7. Implementing ERM Getting Started • Get Buy in from the Top • Consolidate Risk Lists • Document Existing Risk Management Silos • Identify Gaps in Coverage Decide Next Steps • Fill Gaps to Demonstrate Value • Establish Repeatable Process Ad Hoc / Heroics Initial Tasking

  8. Implementing ERM Leverage Existing Processes • Internal Audit • Compliance • Strategic Planning • Operational Planning • Board Reporting Common Risk List Assess Gross Magnitude and Likelihood Prioritization of Risks Self Assessment of Response and Control Capabilities Consensus View on Net Risk Disclosure of Risk Exposures

  9. Risk and Control Focus

  10. Implementing ERM Establishing a Process • Get Management Talking About Enterprise Risk • Develop Common Language • Develop a Common Measurement Basis • Establish an Enterprise Risk Management Framework • Dedicate Staff • Develop Expertise Repeatable Manageable

  11. Implementing ERM Key Questions • Quality: Are we talking the right kinds of risk? • Quantity: Are we talking the proper amount of risk to meet our objectives? • Resources: Are we allocating resources (financial, human, etc) efficiently to manage risks? • Advantage: Do we have a competitive advantage in a particular type of risk? • Challenges: • Cultural • Operational Optimizing…?

  12. Sample ERM Implementation Lifecycle Sample potential ERM Implementation Project Lifecycle • Comprehensive Risk Identification • Review existing risk lists • Interview senior management • Consolidate findings and report • Collect and Index Extant Risk Related Process Documents • Find policies and procedures related to significant risks • Assess gaps in coverage i.e. risk identified but no related processes • Assess gross risk • Interview business unit managers to determin risk events, potential impact and likelihood of occurrence • Review existing risk modeling at the business unit level • Assess risk materiality and prioritize risks • Document findings and report

  13. Sample ERM Implementation Lifecycle ( Cont’d) • Assess capabilities to control and respond to risk • Determine organizational structure and identify risk management capabilities • Assist business unit managers in self assessing their capabilities to control and respond to risk using objective benchmarking criteria to determine relative strength • Determine the risk and capability alignment (one to one, many to one, one to many) and assess interdependencies • Document findings and report • Assess residual risks • Determine residual risk exposure based on higher risk materiality and lower related capabilities • Document findings and report • Develop Gap Closing Plan • For higher risk materiality and lower related capabilities develop action plans to either modify risk materiality or strengthen capabilities • Execute Gap Closing Initiatives • Additional projects need to be scoped

  14. Value Proposition Demonstrate Good Governance • Transparency to Stakeholders • Reveal natural hedges • Understand how a single event or multiple events may impact the company as a whole • Broader understanding of the aggregate exposure to risk • No surprise • Clarify Roles and Responsibilities • Assign risks with no clear owner (reputation risk) • Enhance collaboration in response to events

  15. Risk Environment Interest Rate Risk Foreign Exchange Hedging Programs Product Pricing Reserves Consumer Behavior Catastrophes Reputation Customer Financing Prepaid Services Loans Bonds People Processes Technology Outsourcing Fraud

  16. Response and Control Capabilities • Compliance • Ethics • Internal Audit • Sarbanes Oxley • Human Resources • Technology • Product Development • Communications • Insurance Programs • Capital Management Risk management capabilities exist through out the enterprise: Front office / sales Middle office / support Back office / processing

  17. Response and Control Capabilities Weaker Stronger Higher Risk Materiality Lower ERM Heat Map

  18. Decisions Under Risk and Uncertainty

  19. Risk Governance • Decision making and controls related to risk taking • Interagency Statement on Complex Structured Financial Transactions • Rating agency consideration of ERM • Organizational Sentencing Guidelines • Internal Audits role in ERM • Shape the control environment to maximize value, remember that wanting greater returns usually implies taking more risk

  20. Identifying Elevated Risk CSFT’s Characteristics of Elevated Risk Complex Structured Financial Transactions: • Lack economic substance or business purpose • Questionable accounting, regulatory, or tax objectives • Create misleading disclosures • Involve circular transfers of risks • Involve undocumented agreements that impact regulatory treatment • Economic terms inconsistent with market norms • Provide disproportionate compensation

  21. Organizational Sentencing Guidelines Overview • Established by the US Sentencing Commission • Most recent revisions effective November 1, 2004 • Applies to many forms of organizations • Companies • Not for profits • Unions • Governments • Others • Focus on the effectiveness of compliance and ethics program

  22. Effectiveness Criteria Responsibility and Authority • Governing authority • Is knowledgeable of the compliance and ethics program • Exercises oversight of implementation and effectiveness • Specific high level individuals shall have responsibility for the compliance and ethics program • Specific individuals shall be delegated operational responsibility for the compliance and ethics program • Report to governing authority / high level individuals • Adequate resources • Appropriate authority

  23. Effectiveness Criteria Procedures • Communication and training • Monitoring and auditing • Periodic evaluation of effectiveness • Anonymous reporting processes • Enforcement and consequences • Risk assessment

  24. ERM, Ethics and Compliance • Adopting ERM is one way to demonstrate a commitment to good governance • Enterprise wide risk assessments can help put the need for compliance and ethics program in context • Compliance risk assessments can leverage the enterprise risk assessment and management process • A coordinated testing strategy can save time and effort and reduce information overload

  25. Standard & Poor’s Approach Enterprise “risk management will become a separate major category of our analysis” “The companies that are seen to be the best performers in this category will be those that have robust risk management processes that are carried out across the entire enterprise and that form a basis for informing and directing the firm’s fundamental decision making”

  26. Standard & Poor’s Classification Weak • Limited capabilities to cosistently identify, measure, and manage risk exposures across the company and thereny limit losses. • Execution of risk management is sporadic • Losses cannot be expected to be limited n accordance with perdetermined tolerance guidelines • Business managers have yet to adopt a risk management framework • Risk management satisifies regulatory minimums but is not regularly applied to business decisions Excellent • Extremely strong capabilities to consistently identity, measure, and manage risk exposures and losses within the companies predetermined tolerance guidance • Consistent evidence of the practice of optimizing risk adjusted returns • Risk and risk management are always important considerations in corporate decision making

  27. Standard & Poor’s Cultural Indicators Most Favorable: • Corporate risk management responsibility rest with a senior influential officer • With regular reporting and access to the board • Risk tolerance is clearly articulated and consistent with firm goals and expectations • Risk management polices and procedures are clearly stated and widely known • Management view its risk management capabilities as a competitive advantage Least Favorable: • Corporate risk management responsibility rest with a middle manager or is nonexistent • Access to the board is ad doc or limited • Risk tolerance is unclear and may vary from situation to situation • Risk management policies and procedures are not fully documented • Management views risk management as a frustrating constraint imposed by external policies

  28. Standard & Poor’s Control Indicators Most Favorable: • Demonstrate process to identify significant risk experience • All significant risk monitored on a regular basis with timely and accurate measures of risk • Clearly documented limits and standards for risk taking and management that are widely understood • Risk limits are enforced with clear predetermined consequence for exceeding limits • Defined loss event post mortem review to determine if process improvements are necessary Least Favorable: • Not all significant risk exposures have been identified • Risk monitoring is informal, irregular or nonexistent • Risk limits not documented or are too broad to have an impact on operational decision making • Review of compliance with limits is irregular and there are often no consequence for exceeding limits • Minimal or limited review of loss events

  29. ERM Value Better Decision Making • Facilitates risk management gap analysis • Helps optimize gap closing spend and activities • Common language and measurement of risk allows for more efficient risk monitoring and communication (eliminate duplication of effort) • Also provides a context to align risk and control responsibilities • Provides a meaningful context for external stakeholders • Shareholders aware of risk to strategy and management's process to respond and control unwanted risk levels • Rating agencies understand how risk is factored into decision making to optimize risk and reward • Demonstrate good “tone at the top” corporate governance

More Related