GAINING CONTROL: Building Your Existing Framework into an ERM Model

Transcription

1 GAINING CONTROL: Building Your Existing Framework into an ERM Model RIMS Northeast Ohio Chapter Education Day Carol Fox, ARM RIMS Director of Strategic and Enterprise Risk Practice November 19, 2013 Copyright 2013 Risk and Insurance Management Society, Inc. 1

2 Agenda ERM Explained Reframe Inventory Align Accelerate Questions Copyright 2013 Risk and Insurance Management Society, Inc. 2

3 The Risk Professional Balancing Risk and Reward MY JOB IS TO CREATE AN ENVIRONMENT WHERE EMPLOYEES FEEL SAFE TAKING RISKS. MY OTHER JOB IS PUNISHING EMPLOYEES WHO MAKE ANY KIND OF MISTAKE. MY POINT IS THAT I M GLAD I DON T HAVE YOUR JOB. Used with permission per RIMS license agreement with The Official Dilbert Store Copyright 2013 Risk and Insurance Management Society, Inc. 3

4 What does risk management mean to you? Source: RIMS Workshop - Risk Management Techniques: Gaining the Risk Advantage, All rights reserved. Copyright 2013 Risk and Insurance Management Society, Inc. 4

5 The Function s Evolution Source: RIMS Workshop - Risk Management Techniques: Gaining the Risk Advantage, All rights reserved. Copyright 2013 Risk and Insurance Management Society, Inc. 5

6 What is different about Enterprise Risk Management? ERM EXPLAINED Copyright 2013 Risk and Insurance Management Society, Inc. 6

7 ERM Explained - Definition Enterprise risk management is a strategic business discipline that supports the achievement of an organization s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio. Source: Copyright 2013 Risk and Insurance Management Society, Inc. 7

8 ERM Explained What is different about ERM? 1. Encompasses all areas of organizational exposure to risk (financial, operational, reporting, compliance, governance, strategic, reputational, etc.) 2. Prioritizes and manages those exposures as an interrelated risk portfolio rather than as individual silos 3. Evaluates the risk portfolio in the context of all significant internal and external environments, systems, circumstances, and stakeholders 4. Recognizes that individual risks across the organization are interrelated and can create a combined exposure that differs from the sum of the individual risks Source: Copyright 2013 Risk and Insurance Management Society, Inc. 8

9 ERM Explained What is different about ERM? 5. Provides a structured process for the management of all risks, whether those risks are primarily quantitative or qualitative in nature; 6. Views the effective management of risk as a competitive advantage, and 7. Seeks to embed risk management as a component in all critical decisions throughout the organization. More than a process alone Source: Copyright 2013 Risk and Insurance Management Society, Inc. 9

10 ERM is More Than Process Alone Copyright 2013 Risk and Insurance Management Society, Inc. 10

11 ERM is Much More Than Process Alone Copyright 2013 Risk and Insurance Management Society, Inc. 11

12 Looking for a different approach? REFRAME Copyright 2013 Risk and Insurance Management Society, Inc. 12

13 C-Suite s Competency Expectations of Risk Management Professionals Source: DELIVERING STRATEGIC VALUE THROUGH RISK MANAGEMENT RIMS/Marsh Excellence 10 Report, All rights reserved. Copyright 2013 Risk and Insurance Management Society, Inc. 13

14 DePaul Strategic Risk Management Lab Findings: The Six Challenges for Risk Management 1. Risk management is not integrated with strategy and strategy execution. 2. Risk assessments are focused on the wrong risks; often not focused on the most important strategic risks (Pareto 80/20 rule ). 3. Risk management is not executed as a continual and repeatable process. 4. Risk management silos create barriers to developing effective risk management. 5. Risk management is not viewed as value-added (branding). ERM is often under-resourced and under-networked in the organization. 6. Differing perceptions of the importance of different risks within different parts of the organization. Strategic risk management is not a core competency. Source: Dr. Mark L. Frigo, PhD, CPA, CMA Copyright 2013 Risk and Insurance Management Society, Inc. 14

15 Reframe: Why Focus on Strategic Risks? Types of risks resulting in share price declines greater than 30% Copyright 2013 Risk and Insurance Management Society, Inc

16 Reframe: Value Protection or Value Creation? Risk = the potential that a chosen action or activity (including the choice of inaction) will lead to a loss (an undesirable outcome). Wikipedia Risk = an uncertain future outcome that can either improve or worsen the organization s position. RIMS Copyright 2013 Risk and Insurance Management Society, Inc. 16

17 Reframe: For Strategy Source: RIMS Workshop - Risk Management Techniques: Gaining the Risk Advantage, All rights reserved. Copyright 2013 Risk and Insurance Management Society, Inc

18 How does ERM help with increased certainty and value creation? Strategic risk management ( SRM ) is a business discipline that drives deliberation and action regarding uncertainties and untapped opportunities that affect an organization s strategy and strategy execution. Source: RIMS Strategic Risk Management Implementation Guide. All rights reserved. Copyright 2013 Risk and Insurance Management Society, Inc. 18

19 Source: RIMS Strategic Risk Management Implementation Guide. All rights reserved. Copyright 2013 Risk and Insurance Management Society, Inc

20 Reframe: The Evolving Role of the Risk Professional Source: RIMS Executive Report: The Evolving Role of the Risk Professional 2012 Copyright 2013 Risk and Insurance Management Society, Inc

21 Reframe: Risk Management s Role in Strategy Planning and Execution Source: DELIVERING STRATEGIC VALUE THROUGH RISK MANAGEMENT RIMS/Marsh Excellence 10 Report, All rights reserved. Copyright 2013 Risk and Insurance Management Society, Inc

22 10 Easy(?) Steps to Implement ERM 1. Define what value your organization will gain from ERM 2. Research and understand different standards and frameworks 3. Inventory what your organization is already doing 4. Seek support and help 5. Keep it simple 6. Start small 7. Go for the quick wins 8. Delegate fixes to risk owners 9. Report on progress 10. Develop your soft skills Source: C. Fox, 10 Easy Steps to Implement Enterprise Risk Management Risk Management Magazine, November 2012 Copyright 2013 Risk and Insurance Management Society, Inc. 22

23 Do we start from scratch? INVENTORY WHAT YOUR ORGANIZATION IS ALREADY DOING Copyright 2013 Risk and Insurance Management Society, Inc. 23

24 The LEGO Group ERM Model Evolved from Existing Practices Most risk management, Lego had for years They added strategic risk management late 2006 Strategic Operational They defined and implemented a consolidated ERM reporting from 2007 Legal ERM Employee Safety They defined Lego s risk appetite, and began reporting up against that in 2008 Financial IT Security Hazard Source: Hans Laessoe at RIMS Annual Conference 2011 session: Strategic risk management: the new core competency Copyright 2013 Risk and Insurance Management Society, Inc. 24

25 Root cause analyses Leverage Control Practices Already in Place Adhering to risk management policies on risk tolerance, risk authorities, etc. Accept, Avoid, Transfer, Mitigate and / or Exploit Common Risks Business Disruption Environmental Execution Failure Theft/Civil Unrest Data Breach / Attack Regulatory IT Infrastructure Financial Risks Worker / Public Injury Management Control Options Business Continuity Management Environmental Management Quality Assurance/Project Management Physical Security Management Privacy/Information Security Management Compliance Program Management IT Risk Management Financial Risk Management Safety Management Controls Assessment (Audits) Measure uncertainties / deviations from plan Copyright 2013 Risk and Insurance Management Society, Inc. 25

26 Into a Risk Control Network Source: RIMS Strategic Risk Management Implementation Guide. All rights reserved. Copyright 2013 Risk and Insurance Management Society, Inc. 26

27 Risk Control Sources Integrating a Control System 1. Existing controls 2. Additional controls 3. Additional opportunities created Legal Requirements Standards- Based Requirements Performance Requirements Source: RIMS Strategic Risk Management Implementation Guide. All rights reserved. Copyright 2013 Risk and Insurance Management Society, Inc. 27

28 How Ready Are You? Using the following scale, how effective do you think your organization s existing network of controls is in managing your organization s risk exposures? 1 Not at all effective 2 Marginally effective in some areas 3 Moderately effective in most areas 4 Effective in most areas 5 Very effective in almost all areas 6 Don t know / not sure Copyright 2013 Risk and Insurance Management Society, Inc. 28

29 Gaining Control Why did the royal safety engineer stop the hanging? Safety Programs: Regulations require it! THERE S NO RAILING ON THE STEPS. Copyright 2013 Risk and Insurance Management Society, Inc. 29

30 Measuring Audits Sustainability Ownership Measuring Risk Control Effectiveness Expected outcome Actual outcome Desired outcome Effectiveness rating Sufficiency Improvements needed Actions to close gaps Monitoring Modifications Necessity Acting on gaps Implementing modifications Discontinuing non-essential controls Source: RIMS Workshop - Risk Management Techniques: Gaining the Risk Advantage, All rights reserved. Copyright 2013 Risk and Insurance Management Society, Inc. 30

31 Assessing Control Gaps Control objective Activity focused Subjective scope May assume that reviewed controls cover all potential risk events or trends Controls carry equal weight Emerging risks not addressed Source: RIMS Workshop: ERM Accelerating Theory Into Practice Copyright 2013 Risk and Insurance Management Society, Inc. 31

32 Response Effectiveness Planning Engaging Risk Owners in Risk Response Action Planning Copyright 2013 Risk and Insurance Management Society, Inc. 32

33 Mapping Control Effectiveness Control effectiveness plotted against key risks Source: RIMS Workshop: Risk Management Techniques: Gaining the Risk Advantage, All rights reserved. Graphic source: Copyright 2013 Risk and Insurance Management Society, Inc. 33

34 Risk Control Framework Source: RIMS Strategic Risk Management Implementation Guide. All rights reserved. Copyright 2013 Risk and Insurance Management Society, Inc. 34

35 Building Current Practices Into an Enterprise Risk Management Model ALIGN Copyright 2013 Risk and Insurance Management Society, Inc. 35

36 Using Existing Risk Management Components Risk Management at HDI Code of Business Conduct Ethics Helpline Risk Dashboard Business Continuity Program Common Information Systems Architecture Annual Performance Management Process Corporate Policies Internal Audits of High Risk Areas Quarterly Updates of Compliance Plans Monthly Ops. Reviews of Strategic Risks Capital Appropriations Process Disclosure Committee Quarterly Financial Reviews Common SAP Financial System Strategic Risk Maps Annual Leadership Summits Finance Embedded in all Units/locations Coordination with External Auditors Black Swan Risk Identification SOX Steering Committee Strategic Planning Annual Budgeting Process Risk Management Charter and Policy Ethics & Compliance Committee Risk Appetite Leadership Development Signature Authority Source: Harley-Davidson Presentation at RIMS 2013 ERM Conference by Robert Gould, Director of Internal Audit Copyright 2013 Risk and Insurance Management Society, Inc Harley-Davidson Inc. All rights reserved.

37 Aligning Risk Control Resource Pool What You Can Control What You Can Influence What Is Outside of Your Control Copyright 2013 Risk and Insurance Management Society, Inc. 37

38 Aligning Risk Controls Management Control Options operate at multiple levels, but should cascade Alignment of controls enables allocation of responsibility and accountability Vertical alignment ensures that controls are applied in a way consistent with the organization s risk and strategic objectives Copyright 2013 Risk and Insurance Management Society, Inc. 38

39 Into a Strategic Risk Control Framework Aligning Objectives, Initiatives and Processes with Risks and Authority Source: RIMS Strategic Risk Management Implementation Guide. All rights reserved. Copyright 2013 Risk and Insurance Management Society, Inc. 39

40 Example: Risk Control Alignment Strategic Objective: Improve Security of Consumer Data Initiative: Implement Database Security Strategic Objective Owner: CIO Initiative Owner: Director of Information Security Strategic Risk: Breach of Consumer Privacy Initiative Risk: Failure to Fully Secure Database Process: Apply Password Controls Process Owner: Manager, Database Administration Process Risk: Failure to Apply Minimum Standards Source: RIMS Gaining Control Course Cast All rights reserved. Copyright 2013 Risk and Insurance Management Society, Inc. 40

41 Who Has A Stake In The Risk Discussion? Who best understands the risks that our organization may be facing? Develop a working committee of all the stakeholders Operations Sales Accounting Legal Others? Copyright 2013 Risk and Insurance Management Society, Inc. 41

42 Forging Collaborative Alliances Source: RIMS 2013 Benchmark Survey Produced by Advisen Copyright 2013 Risk and Insurance Management Society, Inc

43 GM Risk Management Planning Network Source: General Motors Presentation at RIMS 2012 ERM Conference by Brian Thelen, CRO General Motors Risk Officer Team Crisis Management Business Process Controls Treasury Insurance Risk Management Corp Strategy & Bus Dev GM Asset Management Tax GM Financial Business Continuity Planning Controller s Product Development Communications Special Investigations Trade Flow SME s Human Resources GPSC Legal Planning & Portfolio Research & Development Audit Services Public Policy Global Connected Consumer Information Technology Competitive Intelligence Finance Risk Review with Treasury Staff Metals and Energy Steering Committee North America South America International Operations Europe Others as Appropriate Monthly Risk Officer Meeting Meet Informally/Pull as Required Open Communication Pick up the Phone approach Concerns escalated as needed Copyright 2013 Risk and Insurance Management Society, Inc. 43

44 Tying It All Together: Planning Cycle Alignment From RIMS Workshop: Accelerating Theory into Practice. All rights reserved. Copyright 2013 Risk and Insurance Management Society, Inc. 44

45 The ERM Journey Longer-term Present Strategic Course Shorter-term Ad-hoc Initial Build the Base Set risk strategy, policy and framework Set optimal risk management structure Build resource pool Systematic risk reporting Risk owners defined and accountable Defined materiality Provide risk reports to Executive Committee / Audit Committee Mature the Program Consistent enterprise risk identification and assessment Business unit risk profiles Aggregate risks across the enterprise Defined risk appetite Detection of emerging risks Identify and monitor key risk indicators Initiate technology solution Optimize resource pool Link to Performance Embedded in strategic planning and other business processes Management has risk and control performance objectives Technology solution in place Risk linked to business performance measurement Enterprise-wide risk awareness and education STRATEGIC implementation of ERM into the frontlines of business Copyright 2013 Risk and Insurance Management Society, Inc. 45

46 Where Does Your Organization Stand? Attributes 1. Adoption of ERM-based approach 2. ERM process management 3. Risk appetite management 4. Root cause discipline 5. Uncovering risks 6. Performance Management 7. Business resiliency and sustainability Taking Stock with RIMS RMM Attributes Seven core areas of ERM that drive effectiveness Compatible with various specialized frameworks Risk competency measurement 25 factors and 68 indicators Objective evaluation criteria Key issues that differentiate maturity levels Maturity levels Five maturity levels Detailed descriptions unique for each attribute Measure to help reach goals for improvement Benchmarking Standing in peer group Highlights ERM trends and priorities Copyright 2013 Risk and Insurance Management Society, Inc. 46

47 Begin from RIMS website A Free Assessment RIMS Risk Maturity Model Copyright 2013 Risk and Insurance Management Society, Inc. 47

48 ? Ready to Get Started? ACCELERATE ERM THEORY INTO PRACTICE Copyright 2013 Risk and Insurance Management Society, Inc. 48

49 RIMS ERM SUCCESS TRAJECTORY MODEL GOVERNANCE AND CULTURE MONITOR COMMIT DESIGN ACTIVATE /REVIEW IMPROVE STRATEGIC AND OPERATIONAL OBJECTIVES Did we? From RIMS Workshop: Accelerating Theory into Practice. All rights reserved. Achieve our stated ERM Purpose? Governance? Risk strategy? Accountability? Principles? Copyright 2013 Risk and Insurance Management Society, Inc. 49

50 Revisiting RIMS Strategic Risk Management Framework Source: RIMS Strategic Risk Management Implementation Guide. All rights reserved. Copyright 2013 Risk and Insurance Management Society, Inc. 50

51 FOR ADDITIONAL HELP Accelerating Workshop Location Date Washington DC June 9-11, 2014 RIMS ERM Conference Fall Copyright 2013 Risk and Insurance Management Society, Inc. 51

52 Thank You FOR MORE INFORMATION Please visit RIMS Strategic and Enterprise Risk Center Copyright 2013 Risk and Insurance Management Society, Inc. 52

53 Thank You Carol Fox, ARM Director of Strategic and Enterprise Risk Practice RIMS Gaining Control QUESTIONS Copyright 2013 Risk and Insurance Management Society, Inc. 53