GAINING CONTROL: Building Your Existing Framework into an ERM Model

Similar documents
ENTERPRISE RISK MANAGEMENT SURVEY RIMS Enterprise Risk Management (ERM) Survey SPONSORED BY:

ERM Standards of Practice and Shared Risk Principles

Policy : Enterprise Risk Management Policy

ENTERPRISE RISK MANAGEMENT FRAMEWORK

An Effective Approach to Transition from Risk Assessment to Enterprise Risk Management

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK

Linking Risk Management to Business Strategy, Processes, Operations and Reporting

The PNC Financial Services Group, Inc. Business Continuity Program

Understanding Enterprise Risk Management. Presented by Dorothy Gjerdrum Arthur J Gallagher

Enterprise Risk Management & Information Technology

Strategic Risk Assessment. A first step for improving risk management and governance. COVER STORY. By Mark L. Frigo and Richard J.

IRM CERTIFICATE AND DIPLOMA OUTLINE SYLLABUS

Beyond risk identification Evolving provider ERM programs

Integrated Risk Management:

RSA ARCHER OPERATIONAL RISK MANAGEMENT

Tying It All Together: Practical ERM Integration. Richard Scanlon Vice President Enterprise Risk Management CIGNA Corporation

International Diploma in Risk Management Syllabus

The PNC Financial Services Group, Inc. Business Continuity Program

fs viewpoint

THE ROLE OF FINANCE AND ACCOUNTING IN ENTERPRISE RISK MANAGEMENT

Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom. kpmg.bm

Remarks by. Carolyn G. DuChene Deputy Comptroller Operational Risk. at the

Table of Contents PERFORMANCE REVIEWS STRATEGIC REVIEWS

CRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data

Why Strategic Risk Management?

How To Transform It Risk Management

Developing an Effective Enterprise Risk Management Program

UNITED NATIONS OFFICE FOR PROJECT SERVICES. ORGANIZATIONAL DIRECTIVE No. 33. UNOPS Strategic Risk Management Planning Framework

Enterprise Risk Management: Taking the First Steps

Matthew E. Breecher Breecher & Company PC November 12, 2008

SECURITY RISK MANAGEMENT

Trends Impacting HR s Role in Enterprise Risk Management

Mapping COBIT 5 with IT Governance, Risk and Compliance at Ecopetrol S.A. By Alberto León Lozano, CISA, CGEIT, CIA, CRMA

ERM Program. Enterprise Risk Management Guideline

Enterprise Risk Management: Concepts & Issues

ENTERPRISE RISK MANAGEMENT POLICY

Guidance Note: Corporate Governance - Board of Directors. March Ce document est aussi disponible en français.

Governance and Risk Management in the Public Sector. Fernando A. Fernandez Inter-American Development Bank (202)

Operational Risk Management - The Next Frontier The Risk Management Association (RMA)

Enterprise Risk Management

IT Governance. What is it and how to audit it. 21 April 2009

C o m m i t t e e o f S p o n s o r i n g O r g a n i z a t i o n s o f t h e T r e a d w a y C o m m i s s i o n

PRACTICAL APPLICATIONS FOR BUSINESS CONTINUITY MANAGEMENT

How ERM programs evolve

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012

Transportation Security Administration Enterprise Risk Management. ERM Policy Manual. August 2014

Department of Veterans Affairs VA Directive VA Enterprise Risk Management (ERM)

Analytics Strategy Information Architecture Data Management Analytics Value and Governance Realization

Enterprise Risk Management

Confident in our Future, Risk Management Policy Statement and Strategy

Commodity Price Risk Management (CPRM) - Trends and Challenges for Corporates

Organizational Change Management: A Best Practice to Effective ERM Implementation

Analyzing Risks in Healthcare. February 12, 2014

RIMS Risk Management Models. Traditional Risk Management Progressive Risk Management Strategic Risk Management

Enterprise-Wide Risk Assessment

Enterprise risk management: A pragmatic, four-phase implementation plan

Enabling IT Performance & Value with Effective IT Governance Assessment & Improvement Practices. April 10, 2013

Transforming risk management into a competitive advantage kpmg.com

Integration of Risk Management and Internal Audit. Chartered Institute of Management Accountants, New Zealand

IT Governance Regulatory. P.K.Patel AGM, MoF

STANDARDS OF SOUND BUSINESS AND FINANCIAL PRACTICES. ENTERPRISE RISK MANAGEMENT Framework

Proactive Risk Management with SAP BusinessObjects

University of St. Gallen Law School Law and Economics Research Paper Series. Working Paper No June 2007

Feature. Developing an Information Security and Risk Management Strategy

Accreditation Application Forms

RISK MANAGEMENT OVERVIEW 2011 RISK CONFERENCE SPONSORED BY THE FEDERAL RESERVE BANK OF CHICAGO AND DEPAUL UNIVERSITY

ENTERPRISE RISK MANAGEMENT FRAMEWORK

Placing a Value on Enterprise Risk Management ADVISORY

ENTERPRISE RISK MANAGEMENT POLICY

RIMS Executive Report The Risk Perspective

ORACLE ENTERPRISE GOVERNANCE, RISK, AND COMPLIANCE MANAGER FUSION EDITION

Module 6 Essentials of Enterprise Architecture Tools

Moving Forward with IT Governance and COBIT

Chief Risk Officers in the Mutual Fund Industry: Who Are They and What Is Their Role Within the Organization?

Enterprise Risk Management

APPLICATION OF THE KING III REPORT ON CORPORATE GOVERNANCE PRINCIPLES

Bridgend County Borough Council. Corporate Risk Management Policy

Saldanha Bay Municipality. Risk Management Strategy. Inclusive of, framework, procedures and methodology

POLICY. Number: Title: Enterprise Risk Management. Authorization

Third Party Risk Management 12 April 2012

FlyntGroup.com. Enterprise Risk Management and Business Impact Analysis: Understanding, Treating and Monitoring Risk

Enterprise Risk Management VCU Process

RSA Archer Risk Intelligence

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance

Zurich s approach to Enterprise Risk Management. John Scott Chief Risk Officer Zurich Global Corporate

Avondale College Limited Enterprise Risk Management Framework

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

Enterprise Risk Management in Colleges and Universities

May Wilfrid Laurier University Enterprise Risk Management Draft Final Report

IIA POSITION PAPER: THE ROLE OF INTERNAL AUDITING IN ENTERPRISE-WIDE RISK MANAGEMENT

Enterprise Risk Management in a Highly Uncertain World. A Presentation to the Government-University- Industry Research Roundtable June 20, 2012

Principled Performance & GRC

Information Governance

POL ENTERPRISE RISK MANAGEMENT SC51. Executive Services Department BUSINESS UNIT: Executive Support Services SERVICE UNIT:

Cisco Unified Communications and Collaboration technology is changing the way we go about the business of the University.

Effective Enterprise Risk Management with ErmsCo ERM Foundation

How to stay competitive in a converging healthcare system kpmg.com

Transcription:

GAINING CONTROL: Building Your Existing Framework into an ERM Model RIMS Northeast Ohio Chapter Education Day Carol Fox, ARM RIMS Director of Strategic and Enterprise Risk Practice November 19, 2013 Copyright 2013 Risk and Insurance Management Society, Inc. 1

Agenda ERM Explained Reframe Inventory Align Accelerate Questions Copyright 2013 Risk and Insurance Management Society, Inc. 2

The Risk Professional Balancing Risk and Reward MY JOB IS TO CREATE AN ENVIRONMENT WHERE EMPLOYEES FEEL SAFE TAKING RISKS. MY OTHER JOB IS PUNISHING EMPLOYEES WHO MAKE ANY KIND OF MISTAKE. MY POINT IS THAT I M GLAD I DON T HAVE YOUR JOB. Used with permission per RIMS license agreement with The Official Dilbert Store Copyright 2013 Risk and Insurance Management Society, Inc. 3

What does risk management mean to you? Source: RIMS Workshop - Risk Management Techniques: Gaining the Risk Advantage, 2013. All rights reserved. Copyright 2013 Risk and Insurance Management Society, Inc. 4

The Function s Evolution Source: RIMS Workshop - Risk Management Techniques: Gaining the Risk Advantage, 2013. All rights reserved. Copyright 2013 Risk and Insurance Management Society, Inc. 5

What is different about Enterprise Risk Management? ERM EXPLAINED Copyright 2013 Risk and Insurance Management Society, Inc. 6

ERM Explained - Definition Enterprise risk management is a strategic business discipline that supports the achievement of an organization s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio. Source: www.rims.org/resources/erm/pages/whatiserm.aspx Copyright 2013 Risk and Insurance Management Society, Inc. 7

ERM Explained What is different about ERM? 1. Encompasses all areas of organizational exposure to risk (financial, operational, reporting, compliance, governance, strategic, reputational, etc.) 2. Prioritizes and manages those exposures as an interrelated risk portfolio rather than as individual silos 3. Evaluates the risk portfolio in the context of all significant internal and external environments, systems, circumstances, and stakeholders 4. Recognizes that individual risks across the organization are interrelated and can create a combined exposure that differs from the sum of the individual risks Source: www.rims.org/resources/erm/pages/whatiserm.aspx Copyright 2013 Risk and Insurance Management Society, Inc. 8

ERM Explained What is different about ERM? 5. Provides a structured process for the management of all risks, whether those risks are primarily quantitative or qualitative in nature; 6. Views the effective management of risk as a competitive advantage, and 7. Seeks to embed risk management as a component in all critical decisions throughout the organization. More than a process alone Source: www.rims.org/resources/erm/pages/whatiserm.aspx Copyright 2013 Risk and Insurance Management Society, Inc. 9

ERM is More Than Process Alone Copyright 2013 Risk and Insurance Management Society, Inc. 10

ERM is Much More Than Process Alone Copyright 2013 Risk and Insurance Management Society, Inc. 11

Looking for a different approach? REFRAME Copyright 2013 Risk and Insurance Management Society, Inc. 12

C-Suite s Competency Expectations of Risk Management Professionals Source: DELIVERING STRATEGIC VALUE THROUGH RISK MANAGEMENT RIMS/Marsh Excellence 10 Report, 2013. All rights reserved. Copyright 2013 Risk and Insurance Management Society, Inc. 13

DePaul Strategic Risk Management Lab Findings: The Six Challenges for Risk Management 1. Risk management is not integrated with strategy and strategy execution. 2. Risk assessments are focused on the wrong risks; often not focused on the most important strategic risks (Pareto 80/20 rule ). 3. Risk management is not executed as a continual and repeatable process. 4. Risk management silos create barriers to developing effective risk management. 5. Risk management is not viewed as value-added (branding). ERM is often under-resourced and under-networked in the organization. 6. Differing perceptions of the importance of different risks within different parts of the organization. Strategic risk management is not a core competency. Source: Dr. Mark L. Frigo, PhD, CPA, CMA www.commerce.depaul.edu/sev Copyright 2013 Risk and Insurance Management Society, Inc. 14

Reframe: Why Focus on Strategic Risks? Types of risks resulting in share price declines greater than 30% Copyright 2013 Risk and Insurance Management Society, Inc. 15 15

Reframe: Value Protection or Value Creation? Risk = the potential that a chosen action or activity (including the choice of inaction) will lead to a loss (an undesirable outcome). Wikipedia Risk = an uncertain future outcome that can either improve or worsen the organization s position. RIMS Copyright 2013 Risk and Insurance Management Society, Inc. 16

Reframe: For Strategy Source: RIMS Workshop - Risk Management Techniques: Gaining the Risk Advantage, 2013. All rights reserved. Copyright 2013 Risk and Insurance Management Society, Inc. 17 17

How does ERM help with increased certainty and value creation? Strategic risk management ( SRM ) is a business discipline that drives deliberation and action regarding uncertainties and untapped opportunities that affect an organization s strategy and strategy execution. Source: RIMS Strategic Risk Management Implementation Guide. All rights reserved. Copyright 2013 Risk and Insurance Management Society, Inc. 18

Source: RIMS Strategic Risk Management Implementation Guide. All rights reserved. Copyright 2013 Risk and Insurance Management Society, Inc. 19 19

Reframe: The Evolving Role of the Risk Professional Source: RIMS Executive Report: The Evolving Role of the Risk Professional 2012 Copyright 2013 Risk and Insurance Management Society, Inc. 20 20

Reframe: Risk Management s Role in Strategy Planning and Execution Source: DELIVERING STRATEGIC VALUE THROUGH RISK MANAGEMENT RIMS/Marsh Excellence 10 Report, 2013. All rights reserved. Copyright 2013 Risk and Insurance Management Society, Inc. 21 21

10 Easy(?) Steps to Implement ERM 1. Define what value your organization will gain from ERM 2. Research and understand different standards and frameworks 3. Inventory what your organization is already doing 4. Seek support and help 5. Keep it simple 6. Start small 7. Go for the quick wins 8. Delegate fixes to risk owners 9. Report on progress 10. Develop your soft skills Source: C. Fox, 10 Easy Steps to Implement Enterprise Risk Management Risk Management Magazine, November 2012 Copyright 2013 Risk and Insurance Management Society, Inc. 22

Do we start from scratch? INVENTORY WHAT YOUR ORGANIZATION IS ALREADY DOING Copyright 2013 Risk and Insurance Management Society, Inc. 23

The LEGO Group ERM Model Evolved from Existing Practices Most risk management, Lego had for years They added strategic risk management late 2006 Strategic Operational They defined and implemented a consolidated ERM reporting from 2007 Legal ERM Employee Safety They defined Lego s risk appetite, and began reporting up against that in 2008 Financial IT Security Hazard Source: Hans Laessoe at RIMS Annual Conference 2011 session: Strategic risk management: the new core competency Copyright 2013 Risk and Insurance Management Society, Inc. 24

Root cause analyses Leverage Control Practices Already in Place Adhering to risk management policies on risk tolerance, risk authorities, etc. Accept, Avoid, Transfer, Mitigate and / or Exploit Common Risks Business Disruption Environmental Execution Failure Theft/Civil Unrest Data Breach / Attack Regulatory IT Infrastructure Financial Risks Worker / Public Injury Management Control Options Business Continuity Management Environmental Management Quality Assurance/Project Management Physical Security Management Privacy/Information Security Management Compliance Program Management IT Risk Management Financial Risk Management Safety Management Controls Assessment (Audits) Measure uncertainties / deviations from plan Copyright 2013 Risk and Insurance Management Society, Inc. 25

Into a Risk Control Network Source: RIMS Strategic Risk Management Implementation Guide. All rights reserved. Copyright 2013 Risk and Insurance Management Society, Inc. 26

Risk Control Sources Integrating a Control System 1. Existing controls 2. Additional controls 3. Additional opportunities created Legal Requirements Standards- Based Requirements Performance Requirements Source: RIMS Strategic Risk Management Implementation Guide. All rights reserved. Copyright 2013 Risk and Insurance Management Society, Inc. 27

How Ready Are You? Using the following scale, how effective do you think your organization s existing network of controls is in managing your organization s risk exposures? 1 Not at all effective 2 Marginally effective in some areas 3 Moderately effective in most areas 4 Effective in most areas 5 Very effective in almost all areas 6 Don t know / not sure Copyright 2013 Risk and Insurance Management Society, Inc. 28

Gaining Control Why did the royal safety engineer stop the hanging? Safety Programs: Regulations require it! THERE S NO RAILING ON THE STEPS. Copyright 2013 Risk and Insurance Management Society, Inc. 29

Measuring Audits Sustainability Ownership Measuring Risk Control Effectiveness Expected outcome Actual outcome Desired outcome Effectiveness rating Sufficiency Improvements needed Actions to close gaps Monitoring Modifications Necessity Acting on gaps Implementing modifications Discontinuing non-essential controls Source: RIMS Workshop - Risk Management Techniques: Gaining the Risk Advantage, 2013. All rights reserved. Copyright 2013 Risk and Insurance Management Society, Inc. 30

Assessing Control Gaps Control objective Activity focused Subjective scope May assume that reviewed controls cover all potential risk events or trends Controls carry equal weight Emerging risks not addressed Source: RIMS Workshop: ERM Accelerating Theory Into Practice Copyright 2013 Risk and Insurance Management Society, Inc. 31

Response Effectiveness Planning Engaging Risk Owners in Risk Response Action Planning Copyright 2013 Risk and Insurance Management Society, Inc. 32

Mapping Control Effectiveness Control effectiveness plotted against key risks Source: RIMS Workshop: Risk Management Techniques: Gaining the Risk Advantage, 2013. All rights reserved. Graphic source: www.tc.gc.ca Copyright 2013 Risk and Insurance Management Society, Inc. 33

Risk Control Framework Source: RIMS Strategic Risk Management Implementation Guide. All rights reserved. Copyright 2013 Risk and Insurance Management Society, Inc. 34

Building Current Practices Into an Enterprise Risk Management Model ALIGN Copyright 2013 Risk and Insurance Management Society, Inc. 35

Using Existing Risk Management Components Risk Management at HDI Code of Business Conduct Ethics Helpline Risk Dashboard Business Continuity Program Common Information Systems Architecture Annual Performance Management Process Corporate Policies Internal Audits of High Risk Areas Quarterly Updates of Compliance Plans Monthly Ops. Reviews of Strategic Risks Capital Appropriations Process Disclosure Committee Quarterly Financial Reviews Common SAP Financial System Strategic Risk Maps Annual Leadership Summits Finance Embedded in all Units/locations Coordination with External Auditors Black Swan Risk Identification SOX Steering Committee Strategic Planning Annual Budgeting Process Risk Management Charter and Policy Ethics & Compliance Committee Risk Appetite Leadership Development Signature Authority Source: Harley-Davidson Presentation at RIMS 2013 ERM Conference by Robert Gould, Director of Internal Audit Copyright 2013 Risk and Insurance Management Society, Inc. 36 2013 Harley-Davidson Inc. All rights reserved.

Aligning Risk Control Resource Pool What You Can Control What You Can Influence What Is Outside of Your Control Copyright 2013 Risk and Insurance Management Society, Inc. 37

Aligning Risk Controls Management Control Options operate at multiple levels, but should cascade Alignment of controls enables allocation of responsibility and accountability Vertical alignment ensures that controls are applied in a way consistent with the organization s risk and strategic objectives Copyright 2013 Risk and Insurance Management Society, Inc. 38

Into a Strategic Risk Control Framework Aligning Objectives, Initiatives and Processes with Risks and Authority Source: RIMS Strategic Risk Management Implementation Guide. All rights reserved. Copyright 2013 Risk and Insurance Management Society, Inc. 39

Example: Risk Control Alignment Strategic Objective: Improve Security of Consumer Data Initiative: Implement Database Security Strategic Objective Owner: CIO Initiative Owner: Director of Information Security Strategic Risk: Breach of Consumer Privacy Initiative Risk: Failure to Fully Secure Database Process: Apply Password Controls Process Owner: Manager, Database Administration Process Risk: Failure to Apply Minimum Standards Source: RIMS Gaining Control Course Cast 2013. All rights reserved. Copyright 2013 Risk and Insurance Management Society, Inc. 40

Who Has A Stake In The Risk Discussion? Who best understands the risks that our organization may be facing? Develop a working committee of all the stakeholders Operations Sales Accounting Legal Others? Copyright 2013 Risk and Insurance Management Society, Inc. 41

Forging Collaborative Alliances Source: RIMS 2013 Benchmark Survey Produced by Advisen Copyright 2013 Risk and Insurance Management Society, Inc. 42 42

GM Risk Management Planning Network Source: General Motors Presentation at RIMS 2012 ERM Conference by Brian Thelen, CRO General Motors Risk Officer Team Crisis Management Business Process Controls Treasury Insurance Risk Management Corp Strategy & Bus Dev GM Asset Management Tax GM Financial Business Continuity Planning Controller s Product Development Communications Special Investigations Trade Flow SME s Human Resources GPSC Legal Planning & Portfolio Research & Development Audit Services Public Policy Global Connected Consumer Information Technology Competitive Intelligence Finance Risk Review with Treasury Staff Metals and Energy Steering Committee North America South America International Operations Europe Others as Appropriate Monthly Risk Officer Meeting Meet Informally/Pull as Required Open Communication Pick up the Phone approach Concerns escalated as needed Copyright 2013 Risk and Insurance Management Society, Inc. 43

Tying It All Together: Planning Cycle Alignment From RIMS Workshop: Accelerating Theory into Practice. All rights reserved. Copyright 2013 Risk and Insurance Management Society, Inc. 44

The ERM Journey Longer-term Present Strategic Course Shorter-term Ad-hoc Initial Build the Base Set risk strategy, policy and framework Set optimal risk management structure Build resource pool Systematic risk reporting Risk owners defined and accountable Defined materiality Provide risk reports to Executive Committee / Audit Committee Mature the Program Consistent enterprise risk identification and assessment Business unit risk profiles Aggregate risks across the enterprise Defined risk appetite Detection of emerging risks Identify and monitor key risk indicators Initiate technology solution Optimize resource pool Link to Performance Embedded in strategic planning and other business processes Management has risk and control performance objectives Technology solution in place Risk linked to business performance measurement Enterprise-wide risk awareness and education STRATEGIC implementation of ERM into the frontlines of business Copyright 2013 Risk and Insurance Management Society, Inc. 45

Where Does Your Organization Stand? Attributes 1. Adoption of ERM-based approach 2. ERM process management 3. Risk appetite management 4. Root cause discipline 5. Uncovering risks 6. Performance Management 7. Business resiliency and sustainability Taking Stock with RIMS RMM Attributes Seven core areas of ERM that drive effectiveness Compatible with various specialized frameworks Risk competency measurement 25 factors and 68 indicators Objective evaluation criteria Key issues that differentiate maturity levels Maturity levels Five maturity levels Detailed descriptions unique for each attribute Measure to help reach goals for improvement Benchmarking Standing in peer group Highlights ERM trends and priorities Copyright 2013 Risk and Insurance Management Society, Inc. 46

Begin from RIMS website A Free Assessment RIMS Risk Maturity Model Copyright 2013 Risk and Insurance Management Society, Inc. 47

? Ready to Get Started? ACCELERATE ERM THEORY INTO PRACTICE Copyright 2013 Risk and Insurance Management Society, Inc. 48

RIMS ERM SUCCESS TRAJECTORY MODEL GOVERNANCE AND CULTURE MONITOR COMMIT DESIGN ACTIVATE /REVIEW IMPROVE STRATEGIC AND OPERATIONAL OBJECTIVES Did we? From RIMS Workshop: Accelerating Theory into Practice. All rights reserved. Achieve our stated ERM Purpose? Governance? Risk strategy? Accountability? Principles? Copyright 2013 Risk and Insurance Management Society, Inc. 49

Revisiting RIMS Strategic Risk Management Framework Source: RIMS Strategic Risk Management Implementation Guide. All rights reserved. Copyright 2013 Risk and Insurance Management Society, Inc. 50

FOR ADDITIONAL HELP Accelerating Workshop Location Date Washington DC June 9-11, 2014 RIMS ERM Conference Fall 2014 www.rims.org Copyright 2013 Risk and Insurance Management Society, Inc. 51

Thank You FOR MORE INFORMATION Please visit RIMS Strategic and Enterprise Risk Center www.rims.org/resources Copyright 2013 Risk and Insurance Management Society, Inc. 52

Thank You Carol Fox, ARM Director of Strategic and Enterprise Risk Practice RIMS +1 212.655.6004 cfox@rims.org www.rims.org Gaining Control QUESTIONS Copyright 2013 Risk and Insurance Management Society, Inc. 53

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information