Enterprise Risk Management

Transcription

1 Enterprise Risk Management Current update: 09/16/10 Original Issuance: 03/31/08 Purpose This policy provides guidance and direction to State Board of Administration business unit heads for identifying, assessing, monitoring and managing risk. The policy also sets forth the roles of the Risk Management and Compliance (RMC) Unit and Risk and Compliance Committee. Policy It is the policy of the Executive Director & CIO of the State Board of Administration (SBA) that: A dynamic risk management framework shall be developed and maintained via a risk management plan which will ensure that risks undertaken by the SBA, and the applicable risks undertaken by external parties that assist the SBA in performing its duties are identified, understood, assessed and effectively managed. Background and Implementation By identifying, assessing, monitoring and managing the risks within their respective business units on a regular basis, SBA business unit heads will improve the probability that risks at the consolidated enterprise level will be consistent with the organizational goals and objectives of the SBA enterprise and within risk tolerances approved by senior management. Components of Enterprise Risk Management The Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed and published Enterprise Risk Management Integrated Framework in 2004 in response to heightened concern and focus on risk management, particularly in light of a series of high profile business scandals and failures. Within their framework, the COSO set forth that enterprise risk management consists of a number of interrelated components, which are derived from the way management runs a business and are integrated with the management process. These components are: Internal environment - Management sets a philosophy regarding risk and establishes a risk appetite. The internal environment sets the basis for how risk and control are viewed and addressed by staff. Objective setting Objectives must exist before management can identify

2 potential events affecting their achievement. Enterprise risk management ensures that objectives are consistent with the entity s risk appetite. Event identification Potential events, both internal and external, that might have an impact on the entity and affect achievement of objectives must be systematically identified. Risk assessment Identified risks are analyzed and assessed on both an inherent and a residual basis, with the assessment considering both risk likelihood and impact. Risk response Management must identify and evaluate possible risk responses, which include avoiding, accepting, reducing and sharing risk, that are aligned with the entity s risk tolerances and risk appetite. Control activities Policies, guidelines and procedures are implemented to ensure risk responses are effectively carried out. Information and Monitoring Relevant information is identified, captured and communicated in a form and timeframe that enables staff to execute their responsibilities and to monitor risk, allowing staff to react dynamically as conditions warrant. Risk Management and Compliance Unit The role of the RMC unit is to provide independent and objective oversight, coordination and support to risk management processes at the SBA. RMC shall centrally coordinate the cross-functional management of enterprise-wide risks and shall provide an enterprise-wide consolidated view of risks and risk control procedures. RMC will be responsible, through their participation in the Senior Investment Group and Senior Operations Group (and their associated oversight sub-committees/groups), for reviewing and evaluating new initiatives, products and processes, both investment and operational, to ensure adequate risk identification, assessment and management (i.e., reasonable risk avoiding, accepting, reducing and/or sharing tactics have been identified) has been performed by the business unit(s) implementing the proposed change. In addition to promoting enterprise-wide awareness of risk management, RMC will seek to enhance senior management s awareness and understanding of the key risks faced by the SBA (i.e., likelihood and potential severity), in order to help advance the goals and objectives of the SBA. RMC will accomplish this through reporting risk management and control issues to the Executive Director & CIO, and the Risk and Compliance Committee on a regular basis. The Executive Director & CIO retains all decision-making authority over the enterprise risk management function and corresponding strategic risk management and control issues. RMC, in turn, shall advise the Executive Director & CIO on enterprise risk management related policies, processes and issues including:

3 Promoting a culture of risk awareness, including fostering a cross-functional and enterprise-wide focus on risk management; Providing guidance on the risk management and control aspects of SBA policies; Reviewing risk inventories, risk assessments, risk and compliance issues identified by external audits and consultant recommendations, and associated risk response strategies; Reviewing enterprise-wide risk limits and compliance exception reports; Facilitating the implementation of appropriate risk standards and controls; Facilitating the analysis and reporting of key risk information; Reviewing new program/product/investment vehicle risks, including evaluating the effect on the SBA s overall risk profile; Reviewing recommendations by the Office of Internal Audit (OIA) that identify risk management and compliance-related issues. Risk and Compliance Committee The Risk and Compliance Committee serves as a cross-functional consultative forum which: Provides feedback and direction to new and ongoing RMC initiatives; Reviews significant/material compliance exceptions; Reviews and evaluates effectiveness of compliance monitoring efforts Evaluates management efforts for key enterprise risks; Identifies, reviews and assesses emerging risk issues, continuously scanning for potential new or altered industry, vendor, environmental or internal risks; and Provides an opportunity for RMC to promote awareness among senior management pertaining to the risk management and compliance-related issues facing the SBA. The Risk and Compliance Committee is composed of the following staff members: Executive Director & CIO (Group Leader) Chief Risk and Compliance Officer, (Staff Director) Deputy Executive Director Chief Operating Officer Senior Investment Policy Officer Inspector General General Counsel Director of Investment Risk Management Senior Defined Contribution Programs Officer (as needed) Senior Hurricane Catastrophe Fund Officer (as needed) Senior Officer Investment Programs and Governance

4 Business Unit Risk Management This section of the policy applies to all business units except Office of Inspector General and Office of Internal Audit. Risk Identification Business units will implement a regular risk identification process to maintain a current inventory of key risks faced by the unit. The objective of this process is to identify any significant potential risks that have not been addressed in existing policies, procedures or guidelines, but which may require further assessment, monitoring and management. Risk Assessment Business units will conduct quantitative and/or qualitative risk assessment on a regular or as-needed basis, including accounting for the risk exposures that are incurred on the SBA s behalf by external entities. Risk Management Response Strategies Business units will develop and implement risk management response strategies that may include any prudent combination of the categories of risk response, i.e., avoidance, reduction, sharing and acceptance. In considering a risk management response, business units shall consider risk likelihood and impact, as well as cost and benefits, when developing a response that brings residual risk within desired risk tolerances. Policy Development and Implementation Business units will develop policies, guidelines, or procedures as necessary that implement risk management strategies and associated control activities. Monitoring and Reporting Business unit heads or their designees shall monitor business unit risks on a regular or as-needed basis. Business units will institute and maintain escalation thresholds and/or procedures to promote timely reporting of risk issues as they arise and to ensure prompt action is implemented as necessary. Material issues will be reported to RMC as soon as they are identified. RMC will in turn review material risk issues and report them to the Executive Director & CIO, and/or the Risk and Compliance Committee at a regularly scheduled meeting, or immediately if the severity and/or frequency of the issues warrant such action. Risk Management Plan An updated SBA Risk Management Plan shall be prepared by the RMC unit on an annual basis. The Risk Management Plan shall include the identification of enterprise-wide

5 risks, as well as business unit risks, assessments of identified risks, including likelihood and severity, and current response strategies. Business units are required to update their component of the SBA Risk Management Plan annually and timely submit their updates to RMC as requested. The Risk Management and Compliance Committee shall be responsible for reviewing the Risk Management Plan prior to approval by the Executive Director & CIO. Compliance RMC and SBA business unit managers and supervisors are assigned responsibility for compliance with this policy through regular and routine risk identification and assessment, development of risk response strategies, and development of policies, guidelines and procedures that clearly outline relevant control requirements and monitoring processes. RMC and business unit managers may develop additional procedures to implement this policy and shall maintain sufficient documentation to demonstrate compliance with this policy. The Inspector General may review and test compliance with this policy as deemed necessary.