Presentation on theme: "Introduction to Enterprise Risk Management (ERM)"— Presentation transcript:
1Introduction to Enterprise Risk Management (ERM) John P. BehringerMcGladrey(Slides Provided by Rebecca Towne, Director, McGladrey)
2Traditional Risk Management vs. ERM Tactical, compliance focusedSilo-based processesBusiness line or risk type viewLooks at risks individuallyBusiness decisions not closely linked to risksDriven by Risk Management and Internal AuditSupported by rulesERMStrategic, performance focusedConsistent risk management approach across the enterpriseHolistic view of key risksConsiders risk interactionsBusiness decisions based on a clear understanding of risksDriven by the board and owned by the businessSupported by a “risk culture”
3A Holistic View of Risk What is a holistic view of risk? Risk types vary by institution and may include:Operational riskLiquidity riskStrategic riskMarket riskCompliance riskReputational riskLegal riskEnvironmentalSecurityWhat is a holistic view of risk?Aggregated risk exposures across the enterpriseFor example, concentrations by business line, product, customer segment, industry, or geographyConsideration of all types of risk, including interactions between risksConsideration of alternative, forward- looking scenarios
4Enterprise Risk Management Financial institution example of interactions between risksEconomic shockCredit Risk increasesLiquidity Risklosses reduce fundsReputational Riskissues become publicCompliance Risk regulatory scrutiny increasesStrategic RiskNew restrictions/ requirementsLegal Riskborrowers under duressOperational Riskcut-backs in resourcesMarket Risk investors leave / values decline
5Advanced ERM practices ERM ProcessRange of ERM PracticesAdvanced ERM practicesFormally documented ERM frameworkDecisions based on complex, data-driven analysisERM function and CROActive board and Risk Committee involvementHighly automated aggregation and reporting processesERM training based on a common risk languageBasic ERM practicesPolicies for each risk typeDecisions based primarily on management judgmentCFO or other executive responsible for risk oversightLess board involvement / reliance on Audit CommitteeManual aggregation processesTactical risk management training
6Roles and Responsibilities Three Lines of Defense1stBusiness Lines and Functions“Own” the risks associated with their activities and execute risk management processes2ndRisk ManagementDesigns & coordinates the implementation of the ERM program3rdInternal AuditValidates the effectiveness of the ERM program
7Internal Audit’s Role in ERM Boards require objective assurance that risk management processes are working and key risks are being managed effectively.Internal (or external) auditors respond to this need by giving assurance on:The appropriateness of the company’s ERM frameworkThe accuracy of risk and control assessmentsThe effectiveness of risk management processesThe appropriateness of management’s actions to address risksThe accuracy of risk reports
8Internal Audit’s Role in ERM In smaller institutions, Internal Audit may play a larger role in developing and overseeing the ERM framework, with appropriate safeguards to protect their independence.Audit should not be involved in actually managing risk, as this is the responsibility of the management team.Audit’s responsibilities should be documented and approved by the Audit Committee.Audit cannot give objective assurance on any part of the ERM framework for which it is responsible.Audit should not undertake any ERM responsibilities in which the function does not have adequate expertise.
9ERM Framework An ERM Framework should include: Risk governance Risk appetite settingEnterprise-wide risk management processesIdentification of risksAssessment / measurement of risksMonitoring of risks and actions to address risksManagement of risk through controls/risk responsesReporting of risks and the status of action plansIntegration with business decision-makingEstablishment of a strong risk culture
10Risk Governance ERM function ERM committee Risk committ ees Board oversightERM committeeRisk committ ees(e.g., ALCO)ERM functionRisk policies Risk appetiteIncentives ERM trainingCapital adequacy Product/strategy reviewReviews and approves risk strategies, frameworks, and policiesReviews risk reports and recommends/monitors risk limits and action plansOversees the implementation of the ERM framework/controls
11Risk AppetiteAn effective ERM program relies on the establishment and communication of the company’s risk appetiteHelps employees to understand the specific risks that the company is willing and not willing to take.Provides a means for ensuring that actual risk-taking is consistent with the company’s risk-taking capacity.
12Risk CultureDevelopment of a risk culture is critical to effective ERMWays to establish a risk culture that is supportive of risk management:“Tone at the top”Reference the importance of risk management in the company’s objectivesIncorporate risk management into ongoing executive management communicationsExhibit the desired risk management behaviorsCode of Conduct or EthicsRisk management factors included in incentive and performance evaluation plansClearly defined roles and responsibilities that are consistent with three lines of defense
13Integrating ERM into decision-making To be effective, risk management must be integrated into day-to-day business line activities and corporate decisionsRisk Managers must be involved at the onset of strategy setting processesRisks associated with new products should be considered and communicated to the boardAnalysis of emerging risks and stress tests should influence business decisionsRisk information should be shared across the company to avoid the same event recurring
14Risk Management Processes IdentifymeasureAssess/respondManage/MonitorReportRisk management processes are grouped in different ways but generally include the following:Ideally, each of these processes should be ongoing rather than, for example, annual.
15Risk IdentificationRisk identification processes should begin with appropriate planning:Mapping of the company’s business lines and processesDetermination of the risk types to be included in the process (e.g., operational, legal, reputational)Identification of resources responsible for the process in each areaRisks can be identified through various methods, such as interviews, surveys and/or facilitated workshopsDifferent levels of the organization may havedifferent perspectives on risksInclude emerging risksBe wary of risks that are reallythe absence of controlsIdentifymeasureAssess/respondManage/MonitorReport
16Risk Assessment Best practices in risk assessment include: Identification of risks against key business objectivesCoordination of risk assessments through interviews, surveys or facilitated workshops to ensure consistencyUse of available information, such as Key Risk Indicators (KRIs), to ensure objectivityAssessments of the adequacy of internal controls must also be objectiveOversight and use of information, such as the results of quality control reviews, are critical
17Using Risk Assessments Internal Audit assessments are generally used to:Determine the scope and frequency of auditsCompare to business line assessmentsBusiness Line assessments are used to:Prioritize risks across the companyIdentify the top risks to the companyIdentify appropriate responses to risks, as well as areas where the adequacy of controls is too low for the level of riskDrive risk-based monitoring processesAvoid the “black hole” of risk assessment data!
18Risk Management / Responses Risk responses should be based on assessment of loss frequency and impactManagement actions should be specific to reducing likelihood or impact, depending on which one was assessed as highThe most common risk responses include:Avoid (get out)Accept/retain (monitor)Reduce (institute controls)Transfer or share (partner with someone)Action plans with assigned owners should bedeveloped and monitored by a risk committeeIdentifymeasureAssess/respondManage/MonitorReport
19Risk ReportingReporting should also follow from risk assessments, with higher risks reported in more depthEmphasis of risk reporting should be on highlighting key risks and recommendations for and status of management actionVolumes of detail should be avoided, particularly for board reportingReports should include early indicators and emerging risksBest practices include the development of ERM dashboards that provide a holistic view of risk and thoughtful analysisIdentifymeasureAssess/respondManage/MonitorReport