1 Cayman Islands Society of Professional Accountants Enterprise Risk Management March 19, 2015 Dr. Sandra B. Richtermeyer, CPA, CMA
2 What is Risk Management? Risk management is a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. Source: The Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2
3 Risk Management: The Big Picture Strategic Goals Must align with the mission, overall objectives, vision, and values Must be clear & concise Foundation for risk planning and solid internal controls Internal Control Describing Approach to Risk Management Benefits Characteristics Approaches & processes Communication Strategy Foundation Risk Jl 3
4 Key Organizational Concepts Mission Vision Values Strategy Metrics Performance Evaluation
5 The Big Picture Key Relationships!! Governance Enterprise Risk Management Internal Control 5
6 Enterprise Risk Management (ERM) Framework
7 What does risk management encompass? Aligning risk appetite and strategy Enhancing risk response decisions Reducing operational surprises and losses Identifying and managing multiple and crossorganizational risks Seizing opportunities Improving deployment of capital
8 Benefits of Risk Management Achieve the entity s performance targets Achieve the entity s profitability targets Prevent loss of resources Ensure compliance with laws and regulations Avoid damage to entity s reputation It helps the management and board of an organization achieve its goals avoid pitfalls and surprises along the way!
9 Risk management is a process, ongoing and flowing through an entity
10 Key Risk Concepts: Risk Management An Intentional Process Effected by people Applied in strategic context Applied across the enterprise Designed to identify events potentially affecting the entity Intended to manage risk within an entity s risk appetite Provides reasonable assurance Geared to achievement of objectives 10
11 Risk Management: Linking with the Achievement of Objectives Types of objectives: Strategic high level goals, aligned with and supporting its mission Operations effective and efficient use of resources Reporting reliability of reporting Compliance applicable laws and regulations These four categories are distinct, but overlapping One objective can fall into more than one category Top of the cube!
12 Key Concepts: The COSO Enterprise Risk Management Framework Cube Representation
13 Components of Enterprise Risk Management Internal environment Objective setting Event identification Risk assessment Risk response Control activities Information and communication Monitoring Front of the cube!
14 Key Concepts: The COSO Enterprise Risk Management Framework Cube Representation
15 Effectiveness of Risk Management Effectiveness is a judgment Are the 8 risk management components present and functioning effectively? Are there material weaknesses? Have the risk needs been considered within the entity s risk appetite?
16 Limitations of Risk Management Human judgment can be faulty Risk management decisions need to consider the cost vs. the benefits Human failures errors, mistakes Controls can be overridden by collusion between two or more people Management has the ability to override ERM decisions Culture is critical If these limitations exist, the board and management cannot have absolute assurance that the entity s objectives are being considered
17 Risk Management Encompasses Internal Control Internal control is an integral part of enterprise risk management Internal controls make risk management more robust Internal controls can help with conceptualization of risk management
18 Relationships Between ERM and Internal Control Governance Enterprise Risk Management Internal Control 18
19 Key Concepts: Frameworks for Internal Controls and Risk Management Linking the COSO Internal Control Integrated Framework with the COSO Enterprise Risk Management Framework Internal Control Framework ERM Framework Expanded into 3 components 19
20 Roles and Responsibilities for Risk Management Everyone in the organization has some responsibility Board is ultimately responsible Without board oversight, risk management will fail or be suboptimal Senior management team All levels of management For global organizations, consider ways to communicate responsibilities in a way that supports cultural or educational differences
21 Relationships Between Governance and ERM Governance Enterprise Risk Management Internal Control 21
22 Roles and Responsibilities for Risk Management External entities play an important role in how an entity implements overall risk management: Regulators Customers Vendors Overall supply chain Professional organizations
23 Key Risk Concepts: Risk Management Fundamental Characteristics A portfolio view of risks at the entity level Identification of potential events that may impact objectives Risk identification, prioritization, and response Managing risk within the entity s risk appetite Consideration of risk in formulation of strategy 23
24 Key Risk Concepts: Types of ERM Risks Strategic High-level goals aligned to mission Operations Effective and efficient use of resources Reporting Reliability of entity s reports Compliance Effective and efficient use of resources 24
25 Key Risk Concepts: Effective Risk Management Strategies Identify (internal / external) Risks Develop Risk-based Culture Objectives Value Objectives Link & Values Controls Risk Tolerance/appetite? 25
26 Key Risk Concepts: A Process Overview Risk Assessment and Response Manage Risk Within the Entity s Risk Appetite Identification of Potential events that may impact objectives and values Consideration of Risk in Formation of Strategy Application Across the Entity Take a Portfolio View of Risks at the Entity-level Monitor Performance of ERM 26
27 Discussion Question What areas do you believe have primary responsibility for risk management? 1. Accounting / finance 2. Risk management group 3. Legal 4. Compliance 5. Internal audit 6. Unsure How can this vary by culture or business model? 27
28 Key Risk Concepts: ERM Enhances Management Capabilities Align risk appetite Link growth, risk and return Enhance risk responses decisions Minimize operational surprises and losses Identify and manage cross-enterprise risk Provide integrated responses to multiple risks Seize opportunities Rationalize capital 28
29 Key Risk Concepts: ERM Benefits to Management Promotes awareness of existing risk Establishes common risk language Illustrates risk interrelationships and impacts Enables development of more precise risk information Enhances ability to Identify risk in a timely manner Increases confidence to seize opportunities inherent in potential future events Remember. Manage risk within and across business units A common risk language facilitates communication 29 This helps to minimizes operational surprises and losses
30 Key Risk Concepts: Characteristics of Effective ERM Must be owned and led by the board and senior management Encompasses entire business with connection between functional areas Strategies address a full spectrum of risks Processes augment conventional emphasis on probability by also weighing vulnerability Does not solely consider single events, but considers scenarios and interaction between risks
31 Key Risk Concepts: Characteristics of Effective ERM Effective risk management Is a key element of the organizational culture Focuses not solely on risk avoidance, but also value creation Enables entity to take a portfolio view of risk 31 31
32 Key Risk Concepts: Basic ERM Process Responses Events Objectives 32
33 Key Risk Concepts: The Highs and the Lows High Impact / Low Likelihood High Impact / High Likelihood Risk Low Impact / Low Likelihood Low Impact / High Likelihood 33
34 Examples from our conversation (from audience during session) High impact high likelihood data security breach, foreign regulation, health and safety, foreign competition, competition, substitute products, climate change High impact low likelihood airport tower loses communication, security at airport, terrorism, staff turnover, public register of ownership, technology downtown, internet down Low impact high likelihood petty cash, tropical storm, staff turnover Low impact low likelihood??? Audience did not offer many examples in this category! (discussion centered on other three areas above)
35 Key Risk Concepts: What are the BIG Risks? Failure to identify and pursue opportunities IT System Failures Lack of intelligence about marketplace and competitor actions Attracting Capital Sustainability 35
36 Key Risk Concepts: Board Oversight and ERM 4 Critical Roles! 1. Understand the entity s risk philosophy and concur with the entity s risk appetite 2. Know the extent to which management has established effective enterprise risk management of the organization 3. Review the entities portfolio of risk and consider it against the entity s risk appetite 4. Be apprised of the most significant risks and whether management is responding appropriately Source: Effective Enterprise Risk Oversight Role of the Board of Directors, COSO 36
37 Risk Process Considerations
38 Moving thru the framework.
39 Internal Environment Implementation Strategies Risk management philosophy statement Risk appetite describe and communicate Board of directors regularly include on agenda Integrity and ethical values code of conduct, make sure personnel are aware and that the code is alive in the organization Commitment to competence - be clear on how the leaders in the organization support this Organizational structure must be clear and understood throughout the organization Assignment of authority and responsibility air for clarity and understanding in terms of roles Human resource (HR) standards HR goals are transparent and available to all personnel
40 Internal Environment Follow-up - from our conversation indicators of a healthy culture (responses from participants during session) A healthy culture is key to the Internal Environment component of the ERM Framework Staff retention Environmental responsible Personnel climate survey Adherence to policy at acceptable levels Increased incident reporting Employees are proud Communication style Leadership style Reward and recognition Staff development Team building Staff orientation
41 Can you test for a healthy culture? Risk-Related Culture Survey Sample Items Use Scale of 1-5 The leaders of my area set a positive example for ethical conduct I understand the entity s overall mission and strategy Disciplinary action is taken against those who engage in professional misconduct Turnover of personnel has not significantly affected our ability to achieve objectives The leaders in my department are open to communication about risk The leaders in my department are open to bad news
42 Code of Conduct Sample of Key items for Inclusion Letter from chief executive Goals and philosophy Conflicts of interest Sign-offs Discussion Gifts and gratuities Transparency A best practice in reviewing your code of conduct benchmark with similar entities and/or aspirational entities!
43 Moving thru the framework.
44 Objective Setting Strategic objectives Related objectives Operations Reporting Compliance Overlap of objectives Achievement of objectives Risk appetite Risk tolerances
45 Moving thru the framework.
46 Event Identification Events Influencing factors Event identification techniques event inventories, output from planning process, triggers, workshops, interviews, diagrams, lead indicators, analysis of past losses Interdependencies always consider how one event can trigger another Event categories economic, natural environment, political, infrastructure, personnel, process, technology, social, technological Distinguishing risks and opportunities look at both negative and positive outcomes
47 Moving thru the framework.
48 Risk Assessment Context for risk assessment Inherent risk risk if there are no controls Residual risk risk after controls are implemented Estimate likelihood and impact Assessment techniques benchmarking, using probability models Consider relationships between events
49 Key Concepts: Frameworks for Internal Controls and Risk Management Linking the COSO Internal Control Integrated Framework with the COSO Enterprise Risk Management Framework Internal Control Framework ERM Framework Expanded into 3 components 49
50 Four Key Principles of the COSO Internal Control Framework Related to Risk Assessment 1. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. 2. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. 3. The organization considers the potential for fraud in assessing risks to the achievement of objectives. 4. The organization identifies and assesses changes that could significantly impact the system of internal control
51 Four Key Principles of the COSO Internal Control Framework Related to Risk Assessment Operations Objectives Reflects management s choices Considers tolerances for risk Includes operations and financial performance goals Forms a basis for committing of resources 51 51
52 Four Key Principles of the COSO Internal Control Framework Related to Risk Assessment Reporting Objectives External financial reporting objectives Complies with applicable accounting standards Considers materiality Reflects entity activities External non-financial reporting objectives Complies with externally established standards and frameworks Considers the required level of precision Reflects entity activities 52 52
53 Four Key Principles of the COSO Internal Control Framework Related to Risk Assessment Reporting Objectives Internal financial reporting objectives Reflects management s choices Considers the required level of precision Reflects entity activities Compliance Objectives Reflects external laws and regulations Considers tolerances for risk 53 53
54 Four Key Principles of the COSO Internal Control Framework Related Characteristics to Risk Assessment (Points of Focus) Associated With Each of the Four Key Principles of Risk Assessment Identifies and Analyzes Risk Includes entity, subsidiary, division, operating unit and functional levels Analyzes internal and external factors Involves appropriate levels of management Estimates significance of risks identified Determines how to respond to risks 54 54
55 Four Key Principles of the COSO Internal Control Framework Related Characteristics to Risk Assessment (Points of Focus) Associated With Each of the Four Key Principles of Risk Assessment Assesses Fraud Risk Considers various types of fraud Assesses incentives and pressures Assesses opportunities Assesses attitudes and rationalizations 55 55
56 Four Key Principles of the COSO Internal Control Framework Related Characteristics to Risk Assessment (Points of Focus) Associated With Each of the Four Key Principles of Risk Assessment Identifies and Analyzes Significant Change Assesses changes in the external environment Assesses changes in the business model Assesses changes in leadership 56 56
57 Process Considerations: Determine Risk Appetite Quantitative or Qualitative Earnings at risk Reputation at risk Risk Tolerance Range of acceptable variation Risk appetite is the amount of risk (on a broad level) an entity is willing to accept in pursuit of value 57
58 Process Considerations: Establish a Portfolio View of Key Risks Impact Likelihood 58
59 Process Considerations: What is the level of your risk appetite? Impact Likelihood 59
60 Process Considerations: Identify Risk Responses Options Available to Quantify Risk Exposure Impact Likelihood 60
61 Process Considerations: Impact Versus Probability High I M P A C T Low Share Accept Medium Risk Low Risk PROBABILITY Mitigate & Control Control High Risk Medium Risk High 61
62 Risk Response Evaluating possible responses Risk likelihood and impact Assessing costs vs. benefits Opportunities in response options Selected responses Portfolio view
63 Moving thru the framework.
64 Control Activities Integration with risk response Types of control activities top level reviews, activity management, information processing, physical controls, performance indicators, segregation of duties Policies and procedures in writing, wellcommunicated, integrated in culture Controls over information systems general controls, application controls Entity specific controls
65 Moving thru the framework.
66 Information and Communication Using relevant quality information to support the functioning of risk management processes Internally communicating information necessary for the functioning of internal control Externally communicating information regarding matters affecting the functioning of internal control
67 Moving thru the framework.
68 Monitoring The entity selects, develops and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action
69 Moving thru the framework.
70 Process Considerations: Common Risk Management Failures Less than robust risk management implementation Not a management or board priority: ineffective board oversight Failure to anticipate and respond to changed internal and external environment Reckless risk taking: Compensation not aligned with risk management Overconfidence: Failure to recognize and prioritize remote risks 70
71 Process Considerations: Key Implementation Factors Organizational design of the business Establishing an ERM organization Performing risk assessments Determining overall risk appetite Identifying risk responses Communication of risk results 7 Monitoring 8 Oversight and periodic review by management 71
72 Questions? Contact me at or