Enterprise Risk Management Improving Financial Performance, Governance and Compliance Through A Structured Approach Experis Finance By: Fred E. Lutzeier National ERM Director Fred.Lutzeier@Experis.Com / 314 265 3497 May 13, 2015
Topics for today s meeting. Agenda The Rise of ERM / How Did We Get Here? ERM What is it and Why have it? ERM / Frameworks and Maturity Models ERM and Business Strategy, Objectives & Tactics ERM Implementation Considerations Impact of ERM on Internal Audit Page 2
The Rise of ERM / How Did We Get Here?
How we got here 2008 Financial Crisis Housing bubble begins to burst Unemployment begins to increase dramatically Mortgages start to go into default Large insurance companies who issued credit default swaps and similar instruments are being forced to unwind positions to pay for credit losses Significant liquidity stress placed on the entire financial infrastructure Stock prices fall Panic begins. Business volumes go down / layoff more workers International / global markets enter the great recession More investments liquidated by individuals to pay bills More pressure on stock valuations And the cycle continues and continues. Page 4
Then the US Government Steps In Stop the panic, stabilize the markets, provide liquidity Bail-outs begin to emerge Re-organizations / liquidations occur at a rapid pace Fed begins to print money to provide liquidity / support to the financial system. After stabilization, Feds attempt to stimulate the economy Cash for clunkers Shovel ready projects Solar and wind energy initiatives Quantitative Easing (printing money) by the Fed Then came the reforms. Dodd Frank legislation CFPB SIFI, Financial Stability Oversight Board, etc. Page 5
Then ERM is Reborn Financial Services Changes Enhanced Prudential Standards requiring ERM Own Risk and Solvency Assessment issued by the NAIC requires ERM for the insurance industry Then SEC Steps In for Other Industries. Expanded emphasis on Risk Management through the SEC s National Examination Program with an emphasis on meeting with senior management and boards to determine how firms govern and manage financial, legal, compliance, operational, and reputational risks. ERM continues to be an emphasis, as recent public statements of SEC staff have cited this as an ongoing area of emphasis. Page 6
Does ERM Only Benefit Financial Institutions? ERM is now growing in prominence in many different industries as a better way to manage business risks and objectives. All types of businesses in all types of industries can benefit from ERM. Risk is not unique to Financial Institutions. Here are some other areas that can benefit from ERM: Product risks (Manufacturing) GM Ignition Switches Vendor Management (All Industries) Airbags Takata Operational Risks (Retail) Radio Shack / Bankruptcy Cyber Risks (All Industries) Target, Anthem, Sony Reputation (All Industries) Everyone Page 7
Foundational Understanding of ERM - ERM Frameworks and Maturity Analysis
What is Enterprise Risk Management / Why Have It? A structured and disciplined approach that supports the alignment of strategy, processes, people, technology and knowledge as an organization evaluates and manages the uncertainties it faces in order to attain its goals. This could include: Financial performance improvement Loss reduction Reputation management Employee retention Resource maximization Improved management of the business Reduce liquidity issues / financial crisis exposure Coordinate risk management activity to: Avoid gaps Leverage efficiency Break down silos Page 9
ERM and The Three Lines of Defense Model Governing Body/Board/Audit Committee Senior Management 1 st Line of Defense 2nd Line of Defense Financial Control Security 3rd Line of Defense External Audit Regulator Management Controls Internal Control Measures Risk Management Quality Internal Audit Inspection Compliance Source: IIA Position Paper: The Three Lines of Defense in Effective Risk Management and Control Page 10
ERM and The Three Lines of Defense Org Structure Board of Directors Board Risk Committee CEO Risk Committee Chief Operating Officer Chief Financial Officer Other C-Level Executives Chief Risk Officer Internal Audit Business Unit Leadership Finance & Accounting Support Staff Support Staff Support Staff Support Staff First Line (Business Units and G&A Support Functions Own Risks Control Risks Second Line (ERM) Oversees and Monitors Risks Third Line (IA) Provides Independent Assurance Page 11
COSO Enterprise Risk Management Framework Various models are available including COSO ERM, ISO 31000, Actuarial Risk Models At Experis, we use COSO Major Risk Categories (Top of Cube) Strategic risks - Risks that impact the future direction and goals of an organization, Operational risks Risks relating the day -to-day operations of the organization including the management of business assets, liabilities and the risks associated with generating revenue / receipts and the payment of expenses directly associated with the revenues and other costs such as general and administrative expenses. Reporting risks Risks that are centered on internal and external organizational reporting to ensure financial and other reporting is complete, accurate, timely and includes relevant information for business decisions. Compliance risks Risks related to regulatory, contractual and various organizational policies. Page 12
COSO Enterprise Risk Management Framework Organization Structure (Side of Cube) The right face of the COSO framework is designed to show that effective risk management occurs at the top entity level and throughout the various other organizational divisions, units and functions of an organization. This may include product lines. Page 13
COSO Enterprise Risk Management Framework Components of Risk Management (Face of Cube) Includes eight elements that should be in place in an organization for sound risk management. Internal Environment - The organizational cultural tone including: risk management philosophy and appetite, integrity and ethical values. Objective Setting The process of establishing clear ERM objectives so that measurement and performance may be evaluated. Event Identification - The process used to identify internal and external events affecting the achievement of the entity s objectives. Risk Assessment The process used to analyze risks considering the likelihood and impact of events. Risks should be assessed on both an inherent basis (without controls or a risk mitigation strategy) and a residual basis (with controls or another risk mitigation strategy). Risk Response The decision process of how management responds to risk (aka risk treatment options ) which may include: avoiding, accepting, reducing or sharing risks considering the risk appetite and tolerances. Control Activities The process of establishing and implementing policies and procedures to ensure risk responses are effectively carried out. Information and Communication - The process in place to ensure information and communication occurs throughout the entity including up, down and across. Monitoring The management process used to ensure risk management function is achieving its objectives. Page 14
How COSO ERM Fits It All Together Chief Risk Officer (Risk Oversight) Major Risk Categories Strategic Initiatives Operational Execution Reporting Regulatory / Compliance Growth Strategies (Acquisitions, New Branches, New Products) Finance (Investment, Credit, Market and Liquidity) External / Public Reporting Regulatory Requirements Sub Risk Categories Ops Improvement (Cost Reduction Efficiency Improvement) Information Technology (Security, Privacy, DRP) Regulatory Reporting Corporate Polices and Procedures Sustainability Operations (Transactional Processes) Internal Management Reporting External Regulatory Examinations Governance Initiatives Sales and Marketing (Product Development) Board Reporting Contract / Vendor Management Reputation Reputation Reputation Reputation Lines of Business / Products, etc. Page 15
General Enterprise Risk Management Hierarchy In this illustration, the banking line of business is used as an example. Wealth Management and Insurance will follow the same process. Business Plans / Strategies Strategic Initiatives 1,2,3..etc. Risk (Categories) that Threaten Attainment of Strategies and Goals Funding, Timing, Etc. Controls to Manage Risks (within BU / deaggregated tolerances) Control 1,2,3 Market, Interest Rate, etc. Control 1,2,3 Operational Goals Credit Control 1,2,3 Enterprise Strategic Goals & Objectives Risk Appetite and Risk Tolerance Banking Item 1 Item 2, Etc. Reporting Goals Information Technology Control 1, 2, 3 Operations, Etc. Control 1,2,3 Regulatory Control 1,2,3 Item 1 Wealth Management Item 2 Etc. External Control 1, 2, 3 Insurance Internal Control 1,2,3 Regulatory / Compliance Goals CFPB Control 1,2,3 Item 1 Item 2 OCC Control 1,2,3 Etc. State and Local, etc. Control 1,2,3 Page 16
Discussion of Risk Appetite and Risk Tolerance Risk Appetite: Definition (Source Abridged from COSO, Enterprise Risk Management Integrated Framework, p. 19) The amount of risk, on a broad level, an entity is willing to accept in pursuit of value. It reflects the entity s risk management philosophy, and in turn influences the entity s culture and operating style. Risk appetite guides resource allocation. Risk appetite assists the organization in aligning the organization, people, and processes in designing the infrastructure necessary to effectively respond to and monitor risks. XYZ Proposed Risk Appetite Statement Due to the regulatory requirements that govern the financial services industry and the competitive nature of our industry, XYZ Bank operates within a range of risk appetites. Our risk appetite, by major risk category, is summarized as follows: Strategic Initiatives - Moderately high risk appetite towards projects in this category. This category includes initiatives such as: acquisitions, new branch locations, major reorganizations, new products and markets, and major technology / efficiency improvement initiatives. Operational Execution and Reporting Low risk appetite for risks that may impair our reporting and operations objectives. We expect relative stability of earnings, liquidity and financial stability in our operations and reporting that is relevant, timely, complete and accurate. This risk appetite level requires reducing to reasonably practicable levels the risks originating from various reporting and technology systems, noncompliance with operational policies and procedures designed to manage our operational risks that support our business objectives. Regulatory / Compliance - Low risk appetite for non-compliance with regulatory requirements and legal obligations. Attaining a high level of compliance is fundamental to our business operations and maintaining a strong reputation in our industry and our markets. Page 17
Discussion of Risk Appetite and Risk Tolerance (cont.) Risk Tolerance Definition (Source COSO, Enterprise Risk Management - Integrated Framework, p. 20) The acceptable level of variation relative to achievement of a specific objective, and often is best measured in the same units as those used to measure the related objective. In setting risk tolerance, management considers the relative importance of the related objective and aligns risk tolerances with risk appetite. Operating within risk tolerances helps ensure that the entity remains within its risk appetite and, in turn, that the entity will achieve its objectives. XYZ s Proposed Risk Tolerance Statement As mentioned above, risk tolerance is designed to measure (qualitatively and quantitatively) our inherent and residual risks based on specific criteria. In developing our ERM program, we have agreed upon definitions of risk (probability and impact) to help guide us in these assessments. Our risk scoring criteria is set forth on pages 5-7 of our Enterprise Risk Management Program and included as an appendix to this presentation. Using this and other information, our risk tolerance statement, by major risk category, consists of the following: Strategic Initiatives Our risk tolerance for items in this category would have a moderate impact on the organization or significant impact on a department or functional area. This would include strategic initiatives that may result in: A Project cost variance of the greater of 10% or $3 million A short term regional or local issue with high public exposure and negative media coverage. Moderate (5% or less) loss of market share Report/notification to regulator with immediate corrective action, MRIA s from regulators. Staff morale problems and high turnover Page 18
Risk Appetite and Risk Tolerance (cont.) Risk Tolerance Operational Execution Our risk tolerance for items in this category would have a low impact on the organization or minor impact on a department or functional area. This would include operational execution areas that may result in: Operation of the department or functional area could be temporarily disrupted, but likely limited to specific/isolated business processes. Financial losses less than $3 Million Little or no public exposure and/or local media attention quickly remediated. Minor staff morale problems and turnover. Negligible loss of market share. Reporting With respect to all aspects of reporting our expectations are that reports contain relevant / required information that is complete, accurate, timely for use by management, regulatory authorities and various third parties. As such, our risk tolerance in this area is low which would include minor errors such as: Differences between estimates of future versus actual outcomes where such future events are based on various reasonable assumptions. Reports where minor corrections / errors have resulted in adjustments that are within 3% of the actual / corrected amounts. Page 19
Risk Appetite and Risk Tolerance (cont.) Risk Tolerance Regulatory / Compliance Our risk tolerance for items in this category would have a low impact on the organization or minor impact on a department or functional area. This would include regulatory / compliance risks such as: Non-compliance areas that are non-systemic / isolated occurrences Non-compliance where the impact of such non-compliance results do not require attention of the XYZ executive management team Non-compliance with regulatory matters that are non-systemic, do not warrant self reporting and/or would not result in a regulatory action (e.g. MRIA) Financial losses from non-compliance that are less than $250,000 Non-compliance where the result is little or no public exposure and/or local media attention quickly remediated. Minor staff morale problems and turnover. Negligible loss of market share Page 20
ERM and Business Strategy, Objectives & Tactics
ERM Requires Linkage of Risks To Business Strategy Business Goal Overall Strategies Illustrative Tactics To Attain Strategy Risks Related to Strategies and Tactics Controls To Manage Risks 1.1 Enhance / Expand Smart Phone Technology R 1.1.1 Technology may lack appropriate security (Reputation / Ops & Reg. Risk) C1.1.1.1 Perform IT vulnerability assessment including business continuity 1.0 Grow Revenues R 1.1.2 Technology may not integrate into back office systems (Ops Risk) C1.1.1.2.1 Assessment of all critical interface requirements and data integrity controls Become the Recognized Leader Revenue Growth, Excellence in Operations and Financial Stability 2.1 Reduce Enterprise Costs 1.2 Develop New Products 2.1 Improve Efficiency Through New IT Systems R 1.2.1 New products may not comply with regulatory requirements. (Regulatory / Reputation Risk) R2.1.1 Technology solution may be incompatible with existing systems R2.1.2 Lack of experience in systems selections and implementation C1.2.1.1.1 Perform full regulatory and compliance review of all products prior to market introduction. C1.2.1.2 Development and implement sales training programs with a focus on regulatory compliance. C2.1.1.1. Establish a cross functional PMO to identify comprehensive needs and vendors with potential solutions. C2.1.2.1 Form vendor selection committee to evaluate potential vendors and ability to meet all strategic, operational and compliance key requirements. 2.2 Outsource IT to Cloud Technology R2.2..1 - Vendor may lack sufficient controls over cloud environment R2.2.2 Vendor may lack long-term economic viability C.2.1.1 Perform detailed risk assessment of vendor s risk management and controls C2.2.2.1 - Perform semiannual reviews of vendor economic performance / obtain D&B reports Page 22
Risk Assessment Example (using Risk 1.1.1 - prior page) Risk Decision: Avoid, Accept, Reduce or Share Risk Identified Assess Inherent Risk Choose Risk Response (Risk Appetite and Tolerances) Identify Controls Related to Risk Response Assess Residual Risk R 1.1.1 Technology may lack the appropriate security controls Risk Category Reputational, Operational and Risks Likelihood = 7 (Probable), Impact = 7 (Critical) Overall Inherent Risk = High Reduce 1. Perform indepth analysis of technology software control systems 2. Assess data transmission / network controls. 3. Perform user awareness training 4. Etc. Likelihood = 2 (Low) Impact = 3 (Low) Overall Residual Risk = Low (within Risk Appetite and Tolerance) Risks are generally categorized and assigned various data elements including: Major risk category (Financial, Operational, Reputational, Political, etc.) Risk owner and Reference of controls documentation Page 23
The ERM Maturity Model Develop internal buy-in and benefits awareness Perform GAP analysis Develop Governance structure Develop Risk Universe and language Execute a Risk Assessment Assign responsibility for respective risks Integrate into strategic initiatives Align with senior leadership on the key risks Initiate risk reporting and monitoring Leverage Risk Committee to review risks and the effectiveness of risk mitigation Evaluate risk tolerances and policies / authorities Expand risk reporting Integrate risk based decisions into mgmt s daily operations Integrate Internal Audit with ERM assessment and monitoring Adjust from cost/benefit to risk/reward decision process Leverage risk management to competitive advantages in the market Integrate continuous monitoring of key risk indicators into risk reporting Timeline Page 24
A Brief Word About Risk Aggregation / Disaggregation Risk tolerance is determined at an enterprise-wide level. Therefore Tolerance needs to be disaggregated to down to: Business units, Product lines, Other business activities, as appropriate E.G. Product Risk 1 + Product Risk 2 = Aggregated Risk Tolerance (all in terms of residual risks) A Simple Example Assume tolerance for variability of targeted revenues is 3% on $1 Billion of Consolidated Targeted Revenues ($30 Million). BU 1 sells $800 million of high tech products in a competitive market. BU 2 sells $200 million of lead pencils Therefore BU 1 may have more than 3% of revenues associated with its revenue target (say 3.5% or $28 Million) while BU 2 may have substantially less than 3% (say 1% or $2 Million) due to the predictability / stability of BU 2 s markets (i.e. relative operational risk). Therefore: Risk BU 1 + Risk BU 2 = 3% of Consolidated Revenues ($30 Million) Page 25
ERM Implementation Considerations
Practical Guide to Implementation Standard Language Executive / Board support Governance structure Risk Appetite and Tolerances Risk Assessment Accountability Basic reporting info Process Recommended Starting points Reporting needs Measures Policies Data Base Evolution items Risk based capital allocation Link to incentives Response strategies Increased Accountability Page 27
Some Best Practices for ERM Create the ERM program from the Top Down not Bottom Up CEO and Board buy-in is a critical first step Define risk appetite and risk tolerance Build ERM risk assessment using qualitative and quantitative metrics Assess all categories of risk (strategic, operational, reporting and compliance) for both upside risk / rewards and downside risks / loss prevention. Work with BU leadership closely to sell the program and its benefits Focus on Key Enterprise Risks Don t get lost in the weeds Have an implementation plan for ERM ERM programs take time / need milestones to manage implementation Plan should include timelines and commitment on resources Strongly consider acquiring technology solutions for complex organizations Don t underestimate the effort and time requirements. Get everyone engaged and bought into ERM - Training will be required. Communicate, communicate, communicate Page 28
Some Best Practices for ERM (cont.) Utilize a recognized ERM framework Frameworks provide a roadmap to implementation of efficient and effective ERM program Frameworks like COSO ERM / ISO 31000 and others exist Consider the impact of ERM on Internal Audit A strong ERM function will most likely change the focus of Internal Audit IA should audit the ERM function annually and adjust its audits based on strength of ERM Have one Enterprise-wide Risk Universe - One Version of the Truth Page 29
Implementation Suggestions Optimize your existing risk management practices, then fill in the gaps Keep it simple and scalable Build in partnership with the business / Integrate risk management into the operations of your business Leverage actionable results while program is being developed Balance risk management expertise with industry expertise Align your organizational goals with associated risks Integrate a standard risk language, process, governance structure, reporting and monitoring Phased and efficient approach Page 30
Implications for Internal Audit / ISACA Members
IA Overall Role and Core Role in ERM. Role of Internal Audit Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Role of Internal Audit in ERM "Internal auditing's core role with regard to ERM is to provide objective assurance to the board on the effectiveness of an organization's ERM activities to help ensure key business risks are being managed appropriately and that the system of internal control is operating effectively. (Source IIA Position Paper) Page 32
IIA s View of IA s Role in ERM Environments Page 33
IA Assurance Reporting on ERM Internal Audit s Review of the ERM Function (Assurance) Understand the goals and objectives of your ERM program including: Organizational structure and reporting relationships Establishment / approval (C-Level and Board) of Risk Appetite and Risk Tolerances Review risk assessment methodology Risk monitoring and reporting Internal, External and Emerging Risks Review the ERM framework selected If none selected, why not? Conduct in-depth review of each component of the framework (e.g. COSO model) All components are critical to a sustainable, efficient and effective ERM function. Strongly consider whether your Internal Audit plan can use the same risk assessment as used by ERM Strive to have one version of the truth If not, why not? Page 34
IA s Consulting Support to ERM Internal Audit s Advisory / Consulting Role Facilitating the understanding of: Strategic, Operational, Reporting and Regulatory / Compliance risks Risk appetite / tolerance consultation Organizational structure of ERM Risk management personnel / staffing considerations Techniques to assess the design and operating effectiveness of internal controls. Risk assessment methodology Aggregation and de-aggregation of risks Risk monitoring protocols Processes to identify Internal, External and Emerging Risks Risk reporting up and down and throughout the organization. Page 35
IA s Need For Independence Internal Audit Should NOT make management decisions or take actions related to: Setting the risk appetite Imposing risk management processes Management assurance on risks Taking decisions on risk responses Implementing risk responses on management's behalf Accountability for risk management Page 36
IA s Leveraging of ERM If you audit ERM AND can rely on the effectiveness consider: Opining on ERM as a reliable governance structure. If you can. Consider reducing transactional testing and relying on ERM s / Compliance testing (with selected performance by IA) All ERM programs include compliance management / testing / controls monitoring as a component of their programs. Calibrate IA s risks assessment with the ERM risk assessment. If different, why? Expand the focus on how management is managing emerging risks Expand your focus on business strategy / higher risks that may not have previously been included in your risk assessments Page 37
Why ERM?
Why ERM? If You are in a regulated industry The attainment of key business strategies are key to your financial success / stock price If you have complex operations If you are impacted by ever changing market dynamics / future events If reputation is an important element of your business model If something is important to your organization Then ERM can help you manage your risk (losses) associated with non compliance. ERM can provide the structured oversight to management the attainment of your strategic objectives. ERM can provide a transparent /object view of your business operations / key risks ERM can help you to anticipate future events and develop appropriate action plans. An ERM structure can help manage the wide variety of events that can damage your reputation and destroy enterprise value. ERM can help you achieve your goals. Page 39
Questions? Page 40
General Risk Management Hierarchy Board Reviews and approves business and risk management strategy Approves risk definitions (appetites and tolerances) Provides on-going organizational oversight Executive Management Develops business / risk strategy Implements strategy Develops organizational policies Functional / Departmental Leaders Develops procedures (internal controls) Owns accountability for procedures Provides training on procedures Staff Employees Executes procedures Page 41
The Value Proposition for ERM Does ERM have an ROI? Here are some potential Qualitative and Quantitative benefits Potential Qualitative Benefits Improved ability to attain strategic goals Reduced volatility of profit / cash flow Alignment of views on key business risks Align and manage business strategy Forward looking view of existing / emerging risks Improved corporate governance and oversight Potential Quantitative Benefits Improved debt ratings / lower borrowing cost Avoidance of regulatory fines, penalties, etc. Ability to better project financial results Dividends and Stock Buy-backs Elimination of inefficiencies and duplication of efforts (rationalization of risk management effort to relative importance of risks) Reduce operational losses Reduce market share / stock price losses associated with reputation Page 42
What are Some of the Benefits of ERM? ERM is designed to increase the likelihood your organization will achieve its goals in accordance with its mission and risk tolerance This could include: Financial performance improvement Loss reduction Reputation management Employee retention Resource maximization Improved management of the business Reduce liquidity issues / financial crisis exposure Coordinate risk management activity to: Avoid gaps Leverage efficiency Break down silos Page 43
People, Process and Technology Make ERM Work Fundamental Components of Effective Risk Management Tone at the top Board buy-in Vision Leadership Managerial skills Technical knowledge Experience Training Staffing levels Succession plans Compensation People Technology Process Governance Policies Procedures Internal controls Operational management Compliance management Workflow Process (automated vs. manual) GRC Technology Systems KPI Reporting Data Feeds / Mgmt. Reports from Key Systems Page 44