Tying It All Together: Practical ERM Integration. Richard Scanlon Vice President Enterprise Risk Management CIGNA Corporation

Transcription

1 Tying It All Together: Practical ERM Integration Richard Scanlon Vice President Enterprise Risk Management CIGNA Corporation November 16,

2 Agenda Basis for ERM Integration ERM Objectives ERM Focus Program Development ERM Oversight Information Flow ERM Process / Risk Coverage Page 3 Page 4 Page 5 Page 6 Page 7 Page 8 Pages 9-11 ERM Process/Function Integration Pages ERM Aggregation and Reporting Pages

3 Basis for ERM integration A risk assessment process is in place (i.e. standard approach) An enterprise risk profile exists and is continuously updated Management has made a visible commitment to ERM Risks are discussed across business areas and functions Leadership promotes a risk aware culture An awareness of the ERM approach exists among business leaders 3

4 ERM Objectives Reduce potential exposure through formal and consistent risk management Develop a pragmatic, sustainable framework Create positive business impact due to fewer predictable failures Ensure that risks are considered in decision making Create an integrated approach to manage risk across the business Prioritize risk management initiatives as part of strategic and operating planning Understand impact of risk across businesses, functions and processes Integrate ERM with existing risk related functions and processes Standardize risk monitoring and reporting Conduct ongoing, independent assessment of enterprise-level risks Provide meaningful risk reporting to the Risk Committee and the Board Provide risk information to key business leaders Promote a risk aware culture Provide for effective risk focus and communication across business areas Create awareness of risk interdependencies and impact (break down silos) 4

5 ERM Focus ERM is Focused Primarily on Three Key Areas Risk Identification, Assessment and Remediation Integration with Processes and Functions Risk Aggregation, Monitoring and Reporting Benefits Tools / Activities Enterprise Risk Profile Inherent Risk Inventory Consistent Process Focus on Key Risks Risk discussion across businesses Proactive risk identification and remediation Operational improvements Risk-based decisions Reduce negative surprises Coordinated risk planning and execution Process Integration Strategic Planning Operational Planning Disclosure Functional Integration Internal Audit Compliance SOX Information Protection Six Sigma Eliminate redundancy of risk management efforts Leverage existing risk management processes Common understanding of risks across the business Identification of risk interdependencies Risk Monitor Risk Dashboard Risk Committee Review Board Review ERM Technology ERM Business Committee Review Functional Risk Review Enhance corporate governance / transparency Continuous flow of riskbased information Risk communications Early detection system 5

6 ERM Program Development ERM development, a two year view Quarterly Review and Reporting Risk Committee & Audit Committee ERM Formalized ERM Framework & Process S&P S&P ERM ERM Rating Rating Criteria Criteria Strategic Plan Integration / Divisional Risk Profiles Risk Champions Named for Remediation of Key Risks Disclosure Process ERM Oversight (Risk Committees) Enterprise Risk Profile (Exec. Driven) Internal Internal Audit Audit Planning Planning Six Six Sigma Sigma Enterprise Risk Profile (Business Driven) Compliance, SOX & Info. Protection Risk Monitor Risk Identification, Assessment and Remediation ERM Integration Risk Aggregation, Monitoring & Reporting 6

7 ERM Oversight Enterprise Focus Risk Champions Board of Directors Senior Management Risk Committee Business Area Focus ERM Business Committee Business Areas Identify risks Assess risks Develop risk strategy and remediation plans Evaluate risk exposure Monitor/manage risks ERM Information flow Framework/Methodology Monitor risk exposure Aggregate risk reporting and status to the Risk Committee and Board Support remediation of key enterprise risks Monitor ERM practices Internal Audit Validate remediation Independent review of risk management processes Assurance to senior management and the Board regarding risk exposure Risk Management Risk Support Assurance 7

8 ERM Information Flow Risk Information Enterprise Risk Data Enterprise Issues Risk Tolerance Levels Risk Policies/Procedures Corporate Risk Strategies Information Flow Board of Directors Senior Management Risk Committee - Illustrative - Consolidated Risk Data Integrated Remediation Reports ERM Metrics Risk Committee Reports Board Reports ERM Function Corporate Committees Emerging Issues Risks Exceeding Tolerances Risk Metrics Strategic Planning Data Corporate Functions Risk Review Committee Division B ERM Business Committee Business Units Division A ERM Business Committee Business Units Division C ERM Business Committee Business Units 8

9 ERM Process ERM has enterprise-wide responsibility for helping business leaders to identify, assess, manage and report risk The ERM Process: Aligns risks with strategies and objectives Allows for proactive and consistent assessment of risk across business areas Identify & Assess Risks Ensures development and execution of coordinated remediation efforts Integrate Risk Information with Corp. Processes and Functions Analyze & Quantify Risks Includes measurement of both remediation progress and ongoing management of key risks Provides aggregated reporting and monitoring of risk information Consolidate, Monitor and Report Risks Strategic Plans and Objectives Develop/Execute Remediation Plans Integrates business and functional risk management activities and provides information for strategic and operational planning Develop Measures 9

10 Inherent Risk Inventory - Illustrative - A risk inventory assists in risk identification and prioritization Development Sales & Marketing Setup / Administration Service Delivery Performance Mgmt O p e r a t i o n a l Product innovation Product development / integration Product introduction Product mix Customer needs Intellectual Property Human Capital Integrity Succession plans Communication Statutory regulations Pricing Sales practices Growth challenges Sales compensation Vendor relationships Distribution channel Brand image Skills/Competencies Accountability Change Mgmt. Diversity Culture Role clarity Hiring Retention Key person dependency Process Information Technology Financial Strategic Legal/Regulatory / Compliance Environmental 10

11 Key Risk Focus and Coverage - Illustrative - An integrated approach ensures enterprise focus and coverage for remediation of key risks Enterprise Risks based on input from internal/external stakeholders Business Coverage Audit Coverage Third Party Relationships ERM Coverage Reputation Project Management Privacy Compliance Fraud Management Information Supply Chain Changing Laws and Regulations International Operations Business Continuity Highlighted risks potential areas for increased ERM focus 11

12 ERM Integration ERM is the umbrella for Internal Audit and Compliance, and provides for formal relationships between other risk based functions Enterprise Risk Management Legal, Regulatory and Compliance Risk Strategic Risk Operational Risk Environmental Risk Financial Risk Internal Audit / BCP / Information Protection / SOX / Compliance / Six Sigma Benefits - Reduce the redundancy and overlap of risk management efforts Leverage existing risk management processes and resources Create a common understanding of risks across the business Better identify risk interdependencies Improve the consistency and timeliness of risk identification and assessment Improve risk management coverage Allow for subject matter expert focus on key risks Improve risk reporting 12

13 ERM Integration Two Broad Areas of Focus Process examples Process Strategic/Operational Planning Disclosure Product Development Integration Points Risks aligned with business strategy Business self-assessment ERM risk aggregation Drives ERM and Audit plans / priorities Ongoing comparison of enterprise risks and emerging issues with disclosure risk factors Coordination with Legal & Compliance Product / project risk profile Alignment of risk with upstream / downstream interdependencies M&A Integration with planning and development areas Risk management due diligence and integration assessment 13

14 ERM Integration Two Broad Areas of Focus Functions Stakeholders Control / Attest Functions Internal Audit Compliance SOX Other Risk Functions Bus. Continuity Planning Information Protection Privacy Legal Continuous Improvement Six Sigma Risk Financing Insurance Integration Points Risk based Audit planning (Enterprise Risk Profile) Coordinated coverage for enterprise risks Aggregate flow and reporting of issues Leverage existing risk management processes Identification/prioritization of emerging legal/regulatory and information related risks Front end, proactive review/support of risk assessment activity for new initiatives Common use of ERM methodology Integrated ERM and Six Sigma (DMAIC) methodology Six Sigma supports risk identification Risk assessments trigger improvement projects Risk data used as input to Six Sigma methodology Linkage of risk indicators to business dashboards Continuous review of Enterprise Risk Profile and emerging issues to identify potential risk financing / transfer opportunities 14

15 Corporate Strategic Planning/ERM Integration ERM Supports Enterprise and Business Unit Planning Strategic Planning Function Business Units Sr. Mgmt. / Board Plan Input Planning Context Strategy Drivers External Environment Risk Factors Business Outlook Business Drivers Challenges Opportunities Assessment Enterprise Risk Assessment (update) Enterprise Risk Profile Strategic/Operational SWOT/Assessment Risks / Opportunities (Divisional Risk Profiles) Aggregate Risk Review Plan Output Corporate Strategic Plan Business Plans / Budgets Risk Appetite/ Tolerance Levels Results Communication Strategy (Employees, Clients, Investors, Regulators) Operations Management (Key Metrics/Monitoring) (Critical Projects/Initiatives) Employee Performance Objectives 15

16 Risk Metrics Risk metrics are prioritized and aligned with business targets Strategic and Operational Metrics Objectives: Financial Operational Regulatory Strategic Performance Targets Strategic and operational planning Strategic/ operational metrics Risk identification Risk Thresholds Risk remediation integrated into planning Business Scorecard: Financial Operational Regulatory Strategic Risk Metrics Risks: Financial Operational Regulatory Strategic All risks Impact Criteria Highpriority risks Risk remediation processes and plans Risk metrics 16

17 Risk Reporting (Risk Monitor) In addition to risk metrics, a proactive Risk Monitor can be used to improve management of key risks Purpose Enhance the tracking and flow of risk information across the organization and increase the focus, transparency and urgency of remediation. Audience Company leadership, the Risk Committee and the Board of Directors Key Points Alignment with enterprise risk profile allows for ongoing focus Input from business areas and functions (through ERM Business Committee) Risk functions (ex. Compliance, Internal Audit, SOX and ERM) coordinate and review issues and interdependencies, and assess impact Remediation of issues is tracked and reported ensuring accountability Emerging issues (a watch list) provides a forward looking view of potential impact (positive or negative) An external scan allows for continuous view of industry, competitor and environmental issues 17