Demystifying Enterprise Risk Management:

Transcription

1 Demystifying Enterprise Risk Management: How a practical and effective approach to ERM can lead to value creation for your company. Presented by: Alyssa Martin, CPA, MBA

2 Alyssa G. Martin, CPA Dallas Executive Partner at Weaver with 24 years of experience in public accounting. Practice emphasis in the areas of risk management, internal audit, IT audit, business management consulting, strategic planning, and technology consulting. Member of the Executive Advisory Committee of the Accounting and Information Management Area of the University of Texas at Dallas School of Management Chair of the Baker Tilley International Corporate Governance and Risk Management Committee Frequent author on Risk Management, Internal Audit, IT and Governance topics

3 Agenda ERM Basics: Defining, differentiating ERM from other risk management approaches Approach and Methodology: Understanding the purpose of identifying risk events Components of a Successful ERM Program: Key elements for effective ERM Practical Insights on ERM: How businesses get the most value out of strategic risk management

4 ERM Basics Defining and differentiating ERM from other risk management approaches

5 What is Risk? Risk: Events that have the potential to negatively impact achievement of objectives Anything that would prevent an organization from achieving its business objectives, including both internally and externally driven, or due to either action or inaction on our part Wal-Mart

6 Defining Risk Management Defining Risk Management COSO-ERM Framework: Enterprise Risk Management is a structured and coordinated entity wide governance approach to identify, quantify, respond to, and monitor the consequences of potential events. Implemented by management, ERM is evaluated by the internal auditors for effectiveness and efficiency. ISO 31000: The Risk Management Process is a systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analyzing, evaluating, treating, monitoring and reviewing risk

7 Defining Risk Management Risk Management is not the same as Risk Assessment Risk Assessment: The process of identifying and evaluating individual risks for the purpose of determining risk responses Risk Management: A comprehensive set of risk management activities that includes Risk Assessment and incorporates all components of the COSO Framework Effective, Strategic Risk Management: Focuses on value creation and linking risks to business strategy Embeds risk management in business processes in order to systematically ensure that processes are designed to achieve strategic objectives Identifies positive events (opportunities) upon which to capitalize, in addition to identifying risks

8 Defining Risk Management Enterprise Risk Management incorporates a broad spectrum of considerations: Financial and nonfinancial indicators Intangible assets, like your brand Enhancing business strategy External influences Operational management Opportunities in addition to risks Risk Management is a Consistent, Continuous Process

9 Risk Management Effective Risk Management also involves: Implementing Good Governance Identifying Risks Effective Strategic Management Enhancing Business Strategy

10 Defining Enterprise Risk Management Enterprise Risk Management (ERM) is: A process Effected by people Applied in strategy setting Applied across the enterprise Designed to identify potential events (both positive and negative) Manages risk within risk appetite Provides reasonable assurance Supports the achievement of key objectives

11 Did you know? According to a recent study: 91% of companies surveyed plan to reorganize their approach to risk management over the next three years Why? Increased volatility across 11 risk areas surveyed which included: Strategic risk Reputational risk Operational risk Source: Deloitte, Aftershock: Adjusting to the New World of Risk Management

12 Differentiating ERM from Risk Compliance ERM can be distinguished from risk compliance in that it: Focuses on value creation and linking risks to business strategy Embeds risk management in business processes in order to systematically ensure that processes are designed to achieve strategic objectives Identifies positive events (opportunities) upon which to capitalize, in addition to identifying risks Compliance has a narrower scope, focusing strictly on adherence to legal and regulatory requirements. Compliance risk tends to focus on: Financial risk Regulatory risk ERM takes a broader approach, focusing on: Financial and nonfinancial indicators Enhancing business strategy Opportunities in addition to risks Operations within the Company

13 Key Takeaways ERM Basics: ERM is a process effected by people to align risks to strategic objectives across the enterprise ERM should not function in a silo Risk management is not merely risk assessment or compliance. Goals of risk management are broader and strategic in nature. Focus on financial and nonfinancial indicators. Focus on mitigating risks and harvesting opportunities.

14 Approach and Methodology Understanding the purpose of identifying risk events

15 Why ERM? ERM necessitates proactive identification of risk. Waiting until a risk becomes a hot button issue can create other risks (i.e., reputational risk ), and promotes a reactionary culture. Proactive identification of risk empowers management to make sound decisions in the strategy-setting phase, prior to implementation. Thus, risk consciousness is baked in to the strategic plan.

16 Why ERM? ERM Seeks to Identify: The Why (root cause risk): Establishment of an ERM risk universe through which all organizational root cause risks are identified at their source Allows users to develop the arsenal of actions to establish a plan to address a risk at its source and eliminates the fallacy that you can manage the consequence The What (risk identification description): Linking all risks to their root cause The Where we need to be (risk tolerance): Identifying the degree of future residual risk that is acceptable for every root cause risk, at all management levels

17 Why ERM? ERM Seeks to Identify, continued: The Who (risk owner and mitigation action owner): Attaching ownership to the correct root cause risks at every level of the organization Ensures organizational structure is focused on exactly what employees can and should own, so there is no conflict between accountability and ability The So What (inherent risk likelihood and impact) The What are we going to do about it (mitigation action plans) The The Who and by When (mitigation due date): Mitigation action ownership and timeline The Where are we (current residual risk): Likelihood after mitigation actions

18 Anatomy and Lifecycle of a Risk Event ERM seeks to identify and address risks here instead after they have impacted the company of reacting to risk events here Stage 1 - Root Cause Event Signal Stage 2 - High Risk Environment Stage 3 - Root Cause Event Stage 4 - Risk Realization and Consequence Stage 5 - Management / Mitigation Factors/signals are present that create a high risk environment. Can be identified through monitoring of Key Risk Indicators (discussed in Monitoring section). A high risk environment has resulted from the signals identified in Stage 1. High potential for root cause event. An event occurs that creates potential for significant risks to be realized. A significant risk event occurs, impacting the company. A snowball effect can occur, causing risks to multiply at this stage: Reputation risk Fraud risk Management evaluates outcome and establishes mitigation strategy to avoid future risk.

19 Anatomy and Lifecycle of a Risk Event If the risk had been identified here through monitoring of Key Risk Indicators the cause event may never have occurred and the risk may never have been realized. Stage 1 - Root Cause Event Signal Stage 2 - High Risk Environment Stage 3 - Root Cause Event Stage 4 - Risk Realization and Consequence Stage 5 - Management / Mitigation Tire pressure is low Flat tire Car Accident Increased insurance cost Relegated to high risk pool Inability to negotiate terms Switch insurance providers Wait for accident to clear from record Take defensive driving Check tire pressure regularly

20 Key Roles in Enterprise Risk Management: Who Owns ERM? ERM is typically owned by one of the following individuals: Chief Risk Officer General Counsel Internal Audit The ERM owner is responsible for: Reporting results of risk management activities to the Board Assisting the CEO and Management with ongoing monitoring of key risks Developing risk management policies and communicating them throughout the organization Determining risk ownership within the organization The Risk Management function should report to the Board to ensure: Independence from operations Sufficient authority to solicit and obtain buy-in from key executives

21 Key Roles in Enterprise Risk Management: The Board s Responsibilities: Governance ERM should be integrated with governance processes to ensure systematic linkage of strategy, risks, and risk appetite Oversight Ensure that the organization has an awareness of the risk appetite. Set the tone at the top in order to establish sound risk culture that mirrors risk tolerance and appetite Monitoring Stays up-to-date on the status of ERM implementation Understand the linkage between management s strategies, critical risks and opportunities to ensure that risk management activities are consistent with the organization s risk appetite Reviews feedback from internal audit, external audit, bank regulators and other professional service providers

22 Key Roles in Enterprise Risk Management: Management s Responsibilities: Lead the charge Executive management must lead the charge in implementing ERM. Every manager is responsible for ERM since it is embedded within the processes and overall decision-making throughout the organization Understand and incorporate vision Create strategies and tactical plans that are cohesive with the vision and risk appetite of the organization Demonstrate and communicate vision and expectations to staff Performance goals Policies and procedures Risk philosophy of the organization Successful ERM implementation involves everyone in the organization!

23 ERM Overview ERM Culture ERM Infrastructure ERM Integration Vision/Goals Governance Oversight Committee Structure/Charters Common Language Technology/Tools Tolerance/Appetite Risk Transfer Techniques Aggregate Results/Inte grate with Decision- Making Process Measure, Monitor, and Report Risk Management Performance Identify, Assess and Prioritize Business Risk Business Goals, Objectives, and Strategies Develop and Execute Action Plans/Establi sh Metrics Analyze Key Risks and Current Capabilities Determine Strategies and New Capabilities Audit Committee Reporting Business Planning Committee Membership Corporate Audit Dashboard Reporting Product Development Regulatory Compliance Scorecards Strategic Planning ERM Culture Awareness/Training Communication Continuous Improvement Information Sharing Organizational Change Management

24 Key Takeaways Approach and Methodology: ERM seeks to answer the Who, What, Where, When, Why about key organizational risks. ERM should be tailored to the organization s unique characteristics. There is no one-size-fits all solution. Risk realignment is critical to successful ERM implementation. An effective ERM strategy starts with obtaining buy-in from the top. Risk isn t delegated down the chain of command!

25 Components of a Successful ERM Program Key elements for effective ERM

26 There are 5 key steps to implementing ERM: Step 1: Laying the Groundwork for ERM Step 2: Objective-Setting Step 3: Event Identification Step 4: Risk Assessment Step 5: Risk Responses

27 Step 1: Laying the Groundwork for ERM The Scope of ERM Activities: ERM is Enterprise-wide Not limited to financial or accounting roles Begin by establishing what ERM should be in your organization Begin by determining what risk assessments are already being performed in the company What areas are not being covered? Identify gaps Give credit to areas that have identified their most significant risks and are taking measures to mitigate them

28 Laying the Groundwork Set the tone: Paramount to successful implementation is establishing a Risk-Aware Culture.

29 Step 2: Objective-Setting Objective-Setting should link people, process, capital and risk appetite People Process Capital Risk Appetite Risk Appetite: Level of Risk the Organization is willing to accept in pursuit of value creation Reflects risk management philosophy Influences risk culture A guidepost in strategy-setting Related primarily to business model

30 Risk Appetite and Tolerance Overview of Considerations Affecting Risk Profile Existing Risk Profile The current level of risks across the entity and across various risk categories Risk Capacity The amount of risk that the entity is able to support in pursuit of its objectives Risk Tolerance Acceptable level of variation an entity is willing to accept regarding the pursuit of its objectives Determination of Risk Profile Attitudes Towards Risk The attitudes towards growth, risk, and return

31 Step 3: Event Identification Natural Environment Natural disaster Environmental Issues Political Governmental changes and dynamics Legislation Public policy Regulation Social Demographics Consumer behavior Privacy Company Perception Economic Recessionary risk Financial Competition Employment Indicators Goal Achievement Technological Interruptions Electronic commerce Emerging technology External data Fraudulent activity

32 Step 3: Event Identification Personnel Employee competence Fraudulent activity Health and safety Tone at the Top Corporate reputation Corporate responsibility Code of ethics Corporate citizenship Process Capacity Design Execution Suppliers and dependencies Scalability/Growth Infrastructure Availability of assets Capability of assets Access to capital Complexity Goal Achievement Technology Data integrity Data and system availability System selection Development Deployment Maintenance

33 Step 4: Risk Assessment Rating Rating Risk Once key activities and organizational risks are identified, Management from across the organization judgmentally rates the risks The risk rating will be based on the profile of the company, considering factors such as organizational structure, customer concentration, economic climate, regulatory environment, etc. Example Risk Scale Rating Scale Rank Risk 1 Low Very Remote (<10% Chance) 2 Below Avg. Somewhat Likely (>10% - <50% Chance) 3 Moderate Likely (>50% - <70% Chance) 4 5 Above Avg. High Probable (>70% - <90% Chance) Highly Probable (>90% Chance) Risk responses are scored, finalized, and plotted on a Risk Map based on the following: Probability The likelihood of an error or omission occurring Impact The severity (monetary, operational, social, etc.) of that potential

34 Entity-level Risk Questionnaire Risk Assessment Questionnaire Risks are ranked from 0-5, in both probability and impact, so they can be quantified and prioritized. Probability Impact Catergories and subcategories based on the organization's specific characteristics. Risk Statement Not applicable or I do not know Very remote (< 10% chance) Unlikely (> 10% - < 50% chance) Likely (> 50% - < 70% chance) Probable (> 70% - < 90% chance) Highly probable (> 90% chance) Low ( 25% of Materiality Threshold ) Below Average ( > 25% - < 100% of Materiality Threshold ) Moderate ( = Materiality Threshold ) Above Average ( > 100% - < 150% of Materiality Threshold) Comments High ( 150% of Materiality Threshold) Comments will be used in analysis of outliers. ENTITY LEVEL RISKS Political and Social Risk 1 Public affairs outreach will be impacted by reguar instability 2 The organization is perceived to have a poor public image or receives negative publicity

35 Entity-Level Risk Assessment RISK CATEGORY RISK EVENT / INFLUENCERS Composite Risk Rating Entity Level DEMOGRAPHIC RISK Population projections, Aging workforce, Life expectancy rates 4.00 ECONOMIC RISK Consumer behavior, employment indicators, cost of living requirements 3.99 HUMAN CAPITAL RISK Employee competence, morale, and retention, team cohesion 3.65 GOVERNANCE RISK Board diversity, leadership effectiveness, organization identity, tone at the top 3.24 POLITICAL RISK Regulation, public policy, legislation/politics 2.96 GROWTH / COMPETITION RISK New providers, scalability/growth, transportation innovation, service expansion 2.90 REPUTATION RISK Consumer relations, communications (internal and external), privacy 2.89 EXTERNAL ENVIRONMENTAL RISK External technology, weather, relationships with outside agencies 2.88 SYSTEM / APPLICATION RISK Adoption of new technologies, application development, deployment, e-commerce 2.87 ORGANIZATION RISK Institutional value, management practices and continuity, organizational structure 2.81 COMPUTER OPERATIONS RISK Change management, interruptions, redundancy, maintenance, emerging technology 2.69 ORGANIZATIONAL RISKS Employee competency, contracts, poor morale, reliance on debt financing, turnover 2.62 OPERATION RISK Business continuity, project delivery, maintenance, health and safety, security 2.57 FINANCIAL STABILITY RISK Availability of capital, budgeting, liquidity, debt service, cash management 2.42 SECURITY RISK External penetration, information security, internal security, privacy, confidentiality 2.22 MISAPPROPRIATION OF ASSETS Availability of cash, diversion of assets, theft, negligence, collusion 2.08 CORRUPTION RISKS Kickbacks, related party transactions, self-dealing, vendor favoritism 2.02 FINANCIAL REPORTING RISK Financial statement manipulation, misuse of restricted funds, reporting capabilities 1.95 DATA MANAGEMENT RISK Data integrity, external data, third party data sharing 1.85

36 Entity-Level Risk Assessment Risk Map 1 DEMOGRAPHIC RISK 2 ECONOMIC RISK 3 HUMAN CAPITAL RISK 4 GOVERNANCE RISK 5 POLITICAL RISK 6 GROWTH / COMPETITION RISK 7 REPUTATION RISK 8 Top 10 Risk Categories EXTERNAL ENVIRONMENTAL RISK 9 ORGANIZATION RISK 10 OPERATION RISK

37 Process-Level Risk Assessment Entity level risks to be applied to each project Risk Factor SIGNIFICANT ACTIVITIES P I P I P I P I P I P I OPERATIONS Human Resources Administration Hiring and Termination Policies Pay Rate Authorization and Changes Job Classification & Compensation Benefits Administration Information Technology Change Management Network Security Application Access Data Management Software/Hardware Licensing Telephony Disaster Recovery Customer Service Account Opening/Closing Dispute resolution process Mail Processing Claims Management Economic Demographic Human Capital Governance Information Technology Probability and impact to be completed by risk assessment forum Fraud Significant activities to be risk rated

38 Benefits of Risk Assessment Through performing risk assessments, we can: Identify and understand the most significant risks in the organization Evaluate the likelihood of occurrence of identified risks and the potential impact they may have on the achievement of the organization s objectives Develop a plan for managing the organization s risk Decide which process areas to include in the annual internal audit plan in a risk-based approach to monitoring the design and effectiveness of control activities Risk Assessments can also improve overall risk awareness in the organization by: Getting Management involved in the discussions to identify key risks Encouraging Management s development of responses to risks Providing a baseline evaluation of risk to be integrated into ongoing monitoring and improvement

39 Step 5: Develop Risk Response When developing risk responses, Management: Considers alternative responses Reduce: Implement mitigating controls Accept: Take no positive action to mitigate the risk Avoid: Stop engaging in any activity that creates the risk Share: Share the risk with a third party; e.g., insurance policies Evaluates costs/benefits of available risk responses Analyzes whether risk responses appropriately reduce risk to tolerable level Selects most appropriate risk response based on risk appetite, risk tolerance, and evaluation of portfolio risk

40 Risk Response Plan Significant Activity Sub-Process Impact Probability Composite Risk Map Quadrant Disaster Recovery / Business Continuity Plan Environmental Reporting & Compliance Training and Competencies Emergency Response Plans Information Technology Health and Safety Health and Safety Health and Safety Risk Response DR / BCP testing is planned for March Compliance Audit over for Phase I and II Environmental is planned for November 2014 Monitoring of training compliance is performed quarterly by HR. Employee competencies are part of the Annual Employee Evaluation Physical Security Health and Safety Included in the 2014 Internal Audit Plan Incident Reporting and Investigation Health and Safety Network Security (Encryption, Logical Access, Virus, Internal or External) Critical Application Access and Controls Commodity Price Hedging Strategy and Operations Accounting for Hedging Activities and Ineffectiveness Calc. Debt Covenant Compliance Monitoring Collateral Provisions and Contingencies Information Technology Information Technology Revenue, Expense, and Production Volume Reporting Revenue, Expense, and Production Volume Reporting Debt and Equity Debt and Equity Network security will be added to the 2014 internal audit plan. Application access is addressed through internal control compliance procedures. An internal audit over commodity price hedging strategies was conducted in Hedge accounting is reviewed annually through the external audit. Debt compliance is reviewed annually through the external audit. An internal audit over Longterm Debt and Collateral validation was part of the 2013 Internal Audit Plan

41 What do you think? What is the biggest challenge companies face in attempting to manage risk? A. Weakness in risk culture B. Organization is too complex to manage risk C. Inadequate information needed to make risk-based decisions D. People are unaware of what they need to do concerning risk

42 What do you think? What is the biggest challenge companies face in attempting to manage risk? A. Weakness in risk culture 15% B. Organization is too complex to manage risk 21% C. Inadequate information needed to make risk-based decisions 23% D. People are unaware of what they need to do concerning risk 28%

43 Key Risk Indicators KPI s Many organizations currently monitor key performance indicators (KPI s) in order to stay up-to-date on potential events According to COSO, KPI s may not provide enough advance notice. Often, KPI s alert management to risk events that have already impacted the organization KRI s Key Risk Indicators (KRI s): Metrics developed by management to identify potential future shifts in risk conditions Using KRI s allows for more timely, strategic, and proactive development of risk mitigation strategies

44 The Benefits of a Broader, ERM-Based Focus Identify the strategic objectives and major initiatives of the organization. Determine critical success factors for each objective Understand which KPI s managers are monitoring to meet business results and strategic objectives Perform root analysis to identify risk influencers that affect KPI s and KRI s

45 The Capability Maturity Model Management needs to make the following decisions regarding ERM: Where are we, and where do we want to be? At what rate do we want to improve? Upon which risks do we focus our efforts for improvement? What resources are we willing to commit to risk management to ensure continuous attainment of objectives?

46 The Capability Maturity Model Optimizing Initial Ad hoc Undocumented Risk Management is not a defined process. Culture does not promote risk awareness or facilitate risk identification across the entity. Repeatable Repeatable and sometimes consistent Limited process discipline Individual departments may do own risk assessments May be some consistency in processes Little buy-in from top management and the process is not implemented across the entity. Defined Standard processes in place and documented Consistent Individual departments have mature, documented, consistent risk assessment processes, but there is little visibility of the results of these assessments at the Senior Management or Board Level. Risk assessments are performed, but in silos, thus there is not a true "portfolio view" of risk. Managed Management controls the As- Is process Can adapt process to projects Management has begun inventorying risk assessments and developing an entitywide risk universe. Risk management is no longer siloed within the organization. Limited monitoring and reporting functions exist to provide proactive identification of KPI's, KRI's. Continual process improvement Management regularly revisits maturity goals and benchmarks progress against goals. KRI's, KPI's are consistently measured to gain a proactive view of risks facing the company. Developed by Carnegie Mellon University

47 ERM as an Ongoing Process ERM is a continuous process that should be updated as changes in the operating environment occur: Economic events continually impact financial, liquidity, competition risk Strategic risk should be re-evaluated for: Launching new product or service offerings Expanding into new markets Risks and responses must be kept up-to-date to reflect latest regulatory changes ERM should be independently owned in the organization to ensure: Risks are embedded in the strategy-setting and decision-making processes of the organization Monitoring activities are being performed and follow-up actions occur to ensure risks are properly identified and mitigated on an ongoing basis

48 Key Takeaways Key Components of a successful ERM Monitor KPI s and KRI s proactively Establish goals for process maturity Monitor results of ERM activities. Two effective tools for monitoring are surveys and the internal audit function. Implement effective reporting mechanisms Communicate results of performance ERM is an ongoing process. It s a journey not a destination.

49 Practical Insights on ERM How businesses get the most value out of strategic risk management

50 Case Study: Fidelity Investments Fidelity s Risk Advisory Services Group structure their focus on risks surrounding the core drivers to its business strategy. Risks are spread across 7 risk categories: Reputational, Strategic, Financial, Operational, Organizational, Compliance/Legal, and Technology Recognizing and effectively managing IT related risks is vital to Fidelity s core business strategy: The tolerance for system outages is not acceptable Customers do not want to hear, the system is down. Fidelity uses tabletop exercises to determine severity of risk events 1. Members of management evaluate the significance of potential risk scenarios to Fidelity s ability to maintain core operations. Vendor ability to deliver core support services. 2. Tabletop exercises build upon past experiences and near misses to help predict the future impact of a particular risk event

51 Case Study: Xerium Technologies Senior Executives thought ERM was a compliance exercise like SOX Senior Leadership acted reactionary to risk, putting out fires! Nobody spent the time to look ahead and get above the curve The ERM process helped the company navigate bankruptcy What the company wanted to avoid What were some things they wanted out of bankruptcy What they not want to lose What did they want to maintain? CUSTOMERS, SHAREHOLDERS. In the initial phases of ERM The CEO, VP of Audit, and CFO sat down and ironed out their top 15 risks After a meeting with the board about 6 more were added Now the process has evolved through an online Questionnaire directed at various levels of management Success of the program relied on getting all risk owners involved Source: NCSU interview with Fred Caloggero, VP Audit Services of Xerium

52 Case Study: Target Implements ERM In the wake of the economic crisis, Target sought to refocus on the right risks through ERM. Target defined the following objectives for ERM: 1. Enhanced risk awareness and dialogue 2. Reduced operational surprises and losses 3. Alignment of risk appetite and strategy 4. Anticipation / management of cross-company risks To achieve these objectives, Target: 1. Sought input from management team to create list of top 10 risks that keep management up at night 2. Categorized and risk-ranked the top-10 risks and answered the following questions for each risk: How important do you think this risk is for the future of Target? What is your level of discomfort with the current controls, strategy, and management approach to risk?

53 Putting it all together A Risk Awareness culture is collectively promoting a shared sense of values, ideas, and goals that is unified to take actions to reduce and mitigate opportunities for unfavorable events to occur that impact an organization s ability to meet its objectives.

54 A Phased Approach to ERM What we ve found. ERM is a journey not a destination. Take time to embed it into the organization s decision-making in order to reap the rewards. ERM is about better communication and collaboration across the organization business units, senior management and the board. To effectively manage and monitor risk, ERM needs to be independent of other operational functions needs to have authority to foster change. Organizations that spend time upfront to identify, understand, manage, navigate risk benefit from insights into risk influences that are strategic to the organization s success.

55 Built in Incentives and Benefits of Implementing ERM While the recognition of value is felt at the executive level, the impact is pervasive to the entire organization 1. Increased opportunities for risk communication across divisions 2. Minimization of otherwise adverse financial impact on the organization 3. Revealing synergies by evaluating risk data on a consolidated basis 4. Cost-effective management and monitoring risk efforts The Long Term Benefits from an ERM program 1. Enhanced Stakeholder confidence and support 2. Streamline reporting and analysis of risks 3. The improvement of executive level decision making, confidence and achievement of operational and strategic objectives 4. Reviewing risk holistically can create competitive advantages in the marketplace 5. Efficient coordination with regulatory and compliance parties Bond Rating Agencies Regulatory Examiners External/ Internal Auditors