Driving Business Performance with Enterprise Risk Management

Transcription

1 WHITE PAPER Driving Business Performance with Enterprise Risk Management JUNE 2009 Clarity. Confidence. Control.

2 Table of Contents Executive Overview 2 SECTION I What is 3 Why Companies Need Effective ERM 4 How ERM Can Improve Business Performance 4 SECTION II Key Challenges for Risk Managment 5 Integrating Risk and Compliance 5 Getting Started with ERM 6 Success Factors 6 SECTION III OpenPages Vision for ERM 7 A Superior Solution for Today s ERM Needs 7 Embed Risk Management into Business Operations 7 Unify Risk and Compliance Management Across the Enterprise 8 OpenPages Solutions 8 The OpenPages Advantage 9 SECTION V Conclusion 9 About OpenPages : OpenPages is the leading provider of enterprise GRC management solutions that optimize business performance. OpenPages empowers the world s largest companies by unifying governance, risk and compliance (GRC) activities across the enterprise and by incorporating risk management into their everyday business processes. Market-leading corporations select OpenPages because of its domain expertise and software solutions that seamlessly adapt to their unique risk management methodologies while providing the flexibility to evolve their governance, risk and compliance processes over time. For more information call or visit us online at OpenPages, Inc. All rights reserved.

3 Executive Overview The recent financial market meltdown has highlighted the importance of risk management in protecting and creating shareholder value. It is widely acknowledged that the current crisis has been driven by failures in risk management and oversight that led many organizations to rethink their risk-management strategies. While clearly there were management mistakes that led to the current crisis, it s also true that executive management and boards of directors need a better understanding of how risk is being managed in their businesses to drive shareholder value. Unfortunately, the ability to accurately assess, monitor, and manage the key risks to the business has proven to be very difficult. Compounding this risk-management challenge, regulators around the world will likely be enacting stronger regulation and pursuing a stricter line of regulatory oversight with regard to risk management. As U.S. Secretary of the Treasury Timothy Geithner recently declared, We need much stronger standards for openness, transparency, and plain, common sense language throughout the financial system. One of the main challenges is that risk-management functions frequently operate in silos. For instance, in some banks leading up to the crisis, there were serious operational risks (e.g. mortgage fraud) as part of the lending process that when realized led to these banks holding large positions in toxic assets. A better integration across the operational and credit risk functions could have mitigated these risks. In addition to delivering poor outcomes, a siloed approach to risk management is expensive, the result of its multiple, redundant data collection processes and duplicative technology infrastructures. Going forward, executives will rethink their risk-management infrastructures and design them with a level of integration across heretofore siloed functions. By integrating risk-management silos through a consolidated technology infrastructure and shared processes, companies can benefit from improved efficiencies, reduced costs, and improved transparency in the interdependencies of risks in the business. In addition, companies are increasingly adopting a risk-based approach to managing their business. A risk-based approach identifies the key business processes and associated risks and then allocates resources accordingly. All companies are under pressure to reduce costs, so focusing on the right risks in the business is more critical than ever. To meet these challenges, many firms are increasingly turning toward enterprise risk management (ERM) and supporting technology solutions. ERM provides organizations a programmatic way to deal with business uncertainty and the associated risk and opportunity. By utilizing disciplined risk and compliance management programs, firms can manage unexpected outcomes and reduce the impact of risk events when they do occur. Firms that successfully measure and act upon risk-adjusted returns are typically rewarded with higher valuations from financial markets, higher credit ratings and lower costs of capital. But enterprise risk management encompasses more than balancing risk and reward, and it goes beyond regulatory compliance. Providing enhanced visibility into the risk landscape, ERM empowers business managers to make smarter decisions that maximize value, reduce costs and balance risk with returns. When embedded into everyday processes at all levels of the organization, risk management will drive business performance. 2

4 What is ERM establishes a framework for identifying, measuring, monitoring and managing risk. It acknowledges that business risks are intertwined and should be managed in an integrated manner. A comprehensive ERM program will: Align the firm's risk appetite with business objectives Identify and manage multiple and cross-enterprise risks Enhance and optimize the control environment Reduce the frequency and severity of operational surprises and losses Enhance the rigor of the firm's risk-response decisions Proactively seize on the opportunities presented to the firm Improve the effectiveness of the firm's capital deployment Effective enterprise risk management requires an integrated risk organization that is responsible for all aspects of risk within the company, including setting policy across risk-taking activities. ERM breaks down silos, enabling companies to take a portfolio view of all types of risks, including financial risk, operational risk, technology risk and compliance risk, which helps to optimize risk transfer strategies and increase efficiency. Finally, ERM integrates risk management activities into the everyday business processes of the company. In this manner it will optimize business performance by supporting and influencing pricing, resource allocation, and other business decisions. 3

5 Why Companies Need Effective ERM In today's turbulent business environment, risk has taken on a higher profile and has created greater responsibilities for those who manage it. Across financial services, energy and gas, manufacturing and other industry sectors, companies are challenged to compete efficiently and effectively, while complying with new regulations and contending with greater expectations for risk management and transparency. Executive management and board members want to know how risk is being managed in their businesses and, in particular, how to better manage risk to drive business performance and create the greatest reward for their shareholders. Many factors are heightening the focus on risk. High profile failures in the energy and communications sectors, the subprime mortgage crisis in banking, and recent regulations and standards around corporate governance, compliance and risk management, have combined to bring increased scrutiny to corporate boardrooms. Management is under pressure to avoid catastrophic losses and adhere to new regulations. To meet these challenges, companies are focused on improving operational efficiencies, managing risk and compliance across the enterprise, and allocating capital with a true understanding of how risk/reward impacts profitability. How ERM Can Improve Business Performance One of the foremost objectives of a comprehensive risk management solution is to decrease the overall volatility of earnings while maintaining an adequate rate of return. Using a risk-adjusted rate of return to measure business units, capital projects, departments or individuals, management can reward behavior that maximizes return, while providing an incentive to examine and adjust the risk taken by the corporation thus decreasing volatility. The capital markets are rewarding companies that manage risk well. Externally, corporations able to demonstrate lower earnings volatility than their competitors are typically rewarded in the financial markets with a higher valuation. Likewise, if a company is able to demonstrate superior control to creditors, they may observe a lower cost of debt than their competitors. These rewards accrue because better management of risk can lead to more certainty around the achievement of business objectives, which, in turn, can increase returns for the organization s shareholders. Qualitative measures indicate that effective risk management promotes better business performance, increases efficiency and aids effective corporate governance. An organization that better manages risk is characterized by: Fewer Surprises Proactive identification and management of key risks can decrease unexpected events, reduce earnings fluctuations and increase stakeholder confidence. More Effective Decision-Making Better decisions are made when a structured consideration of risk is built into existing activities. Improved Corporate Governance Defined risk reporting and communication protocols can help fulfill expectations of key stakeholders and regulatory compliance. 4

6 Key Challenges for Risk Management A Deloitte research paper 1 found that across a wide range of industries, the following challenges are foremost in senior executives minds: Managing critical risk interdependencies Fostering a strong ethics and control culture Proactively addressing low-frequency, high-impact risks Providing timely information on control factors The Deloitte study indicates 80 percent of the companies that suffered the greatest losses in value were exposed to more than one type of risk, and there was little or no alignment, coordination, or leverage of risk assessments. As a result, many firms failed to recognize and manage the relationships among different types of risks. Actions taken to address one type of risk, such as strategic risk, can often increase exposure to other risks, such as operational or financial risks. Deloitte also found that corporate cultures and incentive systems had a strong impact on risk exposure. For example, firms that set high premium for returns without complementary controls over risks can expose themselves to major value and brand losses. Many firms lack the risk assessment process or the right skills to assess and monitor rare but high-impact risks. Some of the greatest value losses in the Deloitte study were caused by exceptional events such as the Asian financial crisis, the bursting of the technology bubble, and the September 11th terrorist attacks. Deloitte says a number of organizations lacked access to current information required for senior management to respond quickly to emerging problems. In addition, the volume and disparity of risk reports from across the organization overwhelms senior executives. Integrating Risk and Compliance Managing compliance in silos is both cumbersome and costly. For each new regulation, organizations typically implement a new technology point-solution aimed at the specific regulatory mandate. This fragmented approach limits an organization s ability to streamline compliance processes and reduce costs. It may also obscure the opportunity to integrate compliance with other ERM efforts including operational risk management and technology risk management. Many companies are now realizing that while regulatory mandates and business risks vary in scope and complexity, the process for identifying, measuring, monitoring and managing them is very similar. An enterpise GRC management solution can help companies meet the increasing burden from regulatory compliance requirements and risk management, while gaining tangible benefits. 1 Disarming the Value Killers: A Risk Management Study, Deloitte Research Study, Unifying risk and compliance across the enterprise and incorporating risk management into everyday business processes will enable executives to focus on those elements of their risk activity that have the greatest positive impact on the organization. Business managers can spend less time on assessments and more time on proactively managing risk and processes to meet company objectives. 5

7 Getting Started with ERM The key to successful risk management is establishing an ERM Framework that integrates risk and compliance programs and provides visibility into the state of key risks across the enterprise. If you do not rationalize the overlap between risk and compliance activities, the cumulative effect of having to manage separate assessment, documentation and reporting requirements may actually hinder your ability to effectively assess enterprise-wide risk and the adequacy of internal control systems. An ERM framework should assist management and staff in the performance of their duties by setting out clear responsibilities and accountabilities in relation to the management of risk. This will enable executives to focus on those elements of their risk activity that have the greatest positive impact on the organization. In addition, the framework will help identify and manage interdependencies among all the risks facing the firm. The framework should also establish a consistent approach across the organization s businesses by providing minimum standards for risk management. This will ensure that risk policies, principles and procedures are both adequate and effective. By eliminating risk and compliance management silos and harmonizing risk and compliance activities you can greatly reduce the burden on the business lines, freeing up resources to focus on achieving goals. Success Factors There are several success factors that are critical to establishing an integrated ERM framework and process that can be effectively implemented, managed and maintained: Senior management buy-in and commitment. Senior management must make the risk management program a high priority initiative throughout the company and foster a culture emphasizing the central importance of ethical behavior, quality control, and risk management. In addition, risk managers accountability and responsibility should be tied to individual incentives. For example, compensation incentives should be aligned with long-term value creation and brand protection. A strategic vision and realistic implementation plan. There has to be clear connections between the risk program s vision and the company s strategic and business objectives. The implementation plan should follow a phased approach creating smaller successes that serve as building blocks. Firms should strive to build a risk-aware culture where risk management processes are embedded into the DNA of the company. ERM should converge and harmonize methodology and processes. For example, firms will need to establish a common risk rating methodology for all risk data, such as loss events, risk assessments, and key risk indicators (KRIs). They will also want to eliminate duplicate and redundant assessments by implementing a single sign-off. Stress testing and scenario analysis should ensure that internal controls and business continuity plans can withstand the shock of high-impact events. 6

8 The role of technology. Meeting the increasing demands of ERM in a large organization requires effective technology support to manage enterprise risk in a rigorous and systematic way across the entire business. Technology should be an enabler supporting the risk and compliance management process and methodology not defining the process and methodology. Key objectives include: Providing real-time data management and decision support to ensure that senior management and boards of directors receive accurate information on the causes, financial impact, and potential mitigating actions to control issues. Automating and streamlining risk/compliance processes (e.g. RCSA, Loss Events, Scenario Analysis and KRIs). Supporting enterprise-wide risk assessment, measurement and reporting through a central repository of policies, procedures, risks, and controls. Integrating with other applications to leverage data that exists elsewhere in the organization (e.g. KRIs). OpenPages Vision for ERM A Superior Solution for Today s ERM Needs OpenPages has helped leading companies worldwide to leverage risk management strategies to improve their business performance. With OpenPages, companies can execute solid risk and compliance management activities to prevent most problems and to reduce the impact of problems when they do occur. OpenPages solutions provide enhanced visibility into the firm s risk landscape, enabling business managers to make smarter decisions that maximize value, reduce costs and balance risk and returns. OpenPages enterprise GRC management solutions enable companies to eliminate risk and compliance silos, manage risk across the business, sustain compliance across multiple regulations, and embed these activities into their core business practices. OpenPages can help: Meet new and evolving regulations including Basel II, Solvency II, GLBA, AML and SOX. Automate compliance and supervision to help oversee business processes and employee activities, and review business processes against organizational policies and regulatory guidelines. Proactively manage all aspects of operational risk including risk and control self assessments, scenario analyses, loss events and key risk indicators. Allocate capital efficiently using a risk-based understanding of profitability and performance of business units and product lines. Embed Risk Management into Business Operations Risk management should be viewed as a competency that is embedded in the organization. Most leading companies have tailored their risk methodologies to match their business operations. OpenPages solutions enable these companies to incorporate risk management in everyday processes at all levels of the organization, making risk management a competitive advantage. Only OpenPages provides an enterprise software solution that adapts to each company s unique risk management methodology and framework, without having to write custom code. 7

9 Unify Risk and Compliance Management Across the Enterprise A comprehensive approach to managing risk throughout the business both mitigates risk and optimizes overall business performance. This approach enables organizations to reduce duplication of effort, increase efficiency, and make smarter business decisions. OpenPages serves as the foundation for enterprise risk management through the unification of risk and compliance initiatives within a single enterprise system. Through a single system of record and set of platform services, OpenPages coordinates multiple risk disciplines, allowing organizations to easily and efficiently manage integrated risk and compliance processes throughout the business. OpenPages Solutions The OpenPages Platform serves as the foundation for enterprise-wide risk and compliance through its ability to unite an organization s risk and compliance operations within a single system, comprised of: Comprehensive and Integrated Suite of Applications Best-in-class applications for Financial Controls Management, Operational Risk Management, Compliance Risk, IT Risk and Compliance, and Internal Audit. Hosted on the OpenPages Platform, these applications share data and services and allow you to adopt a modular approach, beginning with high priority risk areas (for example SOX) and incrementally addressing other risk disciplines. Central Repository for Policy, Risk & Controls Management The OpenPages platform provides organizations with a single system for all governance, risk and compliance information. Adaptable to match any industry standard/framework and configurable to match an organization s unique requirements, the OpenPages Platform creates a central repository and a consistent means for managing all governance, risk and compliance elements including frameworks, libraries, policies, entities, accounts, processes, risks, controls, action plans, applications, systems, loss data, key risk indicators and more. 8

10 Platform Services Based on an Extensible Architecture The OpenPages Platform provides a collection of services including document management, content management, audit trails, workflow, security, publishing and reporting in a high availability, highly configurable environment. The OpenPages Platform is built with open and extensible technologies that scale to meet the need of complex/large organizations and enable a flexible approach to risk and compliance management. Integration with Best-in-Class Applications Through OpenAccess, OpenPages Web Services-based integration, the OpenPages Platform can interoperate with leading third-party applications to enhance policies and procedures with actual business data. Connectivity to financial consolidation systems, audit tools, continuous controls monitoring systems, loss-event databases, capital allocation calculation engines and others provides heightened visibility into business operations, serves as early warning indicators for potential threats and increases efficiency, accuracy and data integrity in the governance, risk and compliance lifecycle. The OpenPages Advantage ERM, similar to most business processes, is not a one-size-fits-all solution. It has to be customized and tailored for each firm. As Mark Olson of the Federal Reserve notes: An effective enterprise-wide compliance-risk management program is flexible to respond to change and it is tailored to an organization's corporate strategies, business activities and external environment. 2 Some of the world s largest corporations select OpenPages software because it seamlessly adapts to their unique risk management methodologies while providing the flexibility to evolve their risk and compliance processes over time. OpenPages provides a highly configurable solution that supports your specific methodology, without having to write custom code. The result is that companies can embed risk management into the business and improve outcomes over time. Specific benefits include: Lower costs: custom code is more expensive to develop for initial implementation and much more expensive to maintain and extend over time. Time to deployment: OpenPages patented metadata driven application framework provides unparalleled configuration to support rapid implementation at a fraction of the time compared with custom development approaches. Future proofing: OpenPages unique configuration capabilities will allow you to quickly adapt your risk framework to meet changing requirements while minimizing the impact on your business operations. 2 Mark Olson, Federal Reserve Governor (Reuters, April 2006) 9

11 Conclusion Emerging technologies, new financial instruments, the growing scale and scope of global markets, and changing regulatory frameworks are constant challenges. Enterprise risk management can help an organization meet many of these challenges. OpenPages enables organizations to successfully implement enterprise risk management frameworks, providing companies with the ability to manage unexpected outcomes and to reduce the impact of realized risks when they do occur. OpenPages Enterprise GRC Management solutions allow managers to deploy resources more effectively and take appropriate risks that will help their companies achieve desired business outcomes. 201 Jones Road, Waltham, MA Tel: Fax: Web: WP