Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Enterprise Risk Management (ERM) John P. Behringer McGladrey (Slides Provided by Rebecca Towne, Director, McGladrey)

Similar presentations

Presentation on theme: "Introduction to Enterprise Risk Management (ERM) John P. Behringer McGladrey (Slides Provided by Rebecca Towne, Director, McGladrey)"— Presentation transcript:

1 Introduction to Enterprise Risk Management (ERM) John P. Behringer McGladrey (Slides Provided by Rebecca Towne, Director, McGladrey)

2 Traditional Risk Management vs. ERM 2 ERM Strategic, performance focused Consistent risk management approach across the enterprise Holistic view of key risks Considers risk interactions Business decisions based on a clear understanding of risks Driven by the board and owned by the business Supported by a “risk culture” Traditional Risk Management Tactical, compliance focused Silo-based processes Business line or risk type view Looks at risks individually Business decisions not closely linked to risks Driven by Risk Management and Internal Audit Supported by rules

3 A Holistic View of Risk What is a holistic view of risk? Aggregated risk exposures across the enterprise  For example, concentrations by business line, product, customer segment, industry, or geography Consideration of all types of risk, including interactions between risks Consideration of alternative, forward- looking scenarios 3 Risk types vary by institution and may include: Operational risk Liquidity risk Strategic risk Market risk Compliance risk Reputational risk Legal risk Environmental Security

4 Enterprise Risk Management Financial institution example of interactions between risks 4 Legal Risk borrowers under duress Operational Risk cut-backs in resources Market Risk investors leave / values decline Credit Risk increases Liquidity Risk losses reduce funds Reputational Risk issues become public Compliance Risk regulatory scrutiny increases Strategic Risk New restrictions/ requirements Economic shock

5 Range of ERM Practices 5 ERM Process Advanced ERM practices Formally documented ERM framework Decisions based on complex, data-driven analysis ERM function and CRO Active board and Risk Committee involvement Highly automated aggregation and reporting processes ERM training based on a common risk language Basic ERM practices Policies for each risk type Decisions based primarily on management judgment CFO or other executive responsible for risk oversight Less board involvement / reliance on Audit Committee Manual aggregation processes Tactical risk management training

6 Roles and Responsibilities Three Lines of Defense 6 1st 2nd 3rd “Own” the risks associated with their activities and execute risk management processes Designs & coordinates the implementation of the ERM program Validates the effectiveness of the ERM program Business Lines and Functions Risk Management Internal Audit

7 Internal Audit’s Role in ERM Boards require objective assurance that risk management processes are working and key risks are being managed effectively. Internal (or external) auditors respond to this need by giving assurance on:  The appropriateness of the company’s ERM framework  The accuracy of risk and control assessments  The effectiveness of risk management processes  The appropriateness of management’s actions to address risks  The accuracy of risk reports 7

8 Internal Audit’s Role in ERM In smaller institutions, Internal Audit may play a larger role in developing and overseeing the ERM framework, with appropriate safeguards to protect their independence.  Audit should not be involved in actually managing risk, as this is the responsibility of the management team.  Audit’s responsibilities should be documented and approved by the Audit Committee.  Audit cannot give objective assurance on any part of the ERM framework for which it is responsible.  Audit should not undertake any ERM responsibilities in which the function does not have adequate expertise. 8

9 ERM Framework An ERM Framework should include: Risk governance Risk appetite setting Enterprise-wide risk management processes – Identification of risks – Assessment / measurement of risks – Monitoring of risks and actions to address risks – Management of risk through controls/risk responses – Reporting of risks and the status of action plans Integration with business decision-making Establishment of a strong risk culture 9

10 Risk Governance 10 Reviews and approves risk strategies, frameworks, and policies Board oversight ERM committee Risk committees (e.g., ALCO) ERM function Risk policiesRisk appetite IncentivesERM training Capital adequacy Product/strategy review Reviews risk reports and recommends/monitors risk limits and action plans Oversees the implementation of the ERM framework/controls

11 Risk Appetite 11 An effective ERM program relies on the establishment and communication of the company’s risk appetite  Helps employees to understand the specific risks that the company is willing and not willing to take.  Provides a means for ensuring that actual risk-taking is consistent with the company’s risk-taking capacity.

12 Risk Culture Development of a risk culture is critical to effective ERM Ways to establish a risk culture that is supportive of risk management: “Tone at the top”  Reference the importance of risk management in the company’s objectives  Incorporate risk management into ongoing executive management communications  Exhibit the desired risk management behaviors Code of Conduct or Ethics Risk management factors included in incentive and performance evaluation plans Clearly defined roles and responsibilities that are consistent with three lines of defense 12

13 Integrating ERM into decision-making To be effective, risk management must be integrated into day-to-day business line activities and corporate decisions  Risk Managers must be involved at the onset of strategy setting processes  Risks associated with new products should be considered and communicated to the board  Analysis of emerging risks and stress tests should influence business decisions  Risk information should be shared across the company to avoid the same event recurring 13

14 Risk Management Processes 14 Risk management processes are grouped in different ways but generally include the following: Ideally, each of these processes should be ongoing rather than, for example, annual. Identify Assess/ measure Manage/ respond Monitor Report

15 Risk Identification Risk identification processes should begin with appropriate planning:  Mapping of the company’s business lines and processes  Determination of the risk types to be included in the process (e.g., operational, legal, reputational)  Identification of resources responsible for the process in each area Risks can be identified through various methods, such as interviews, surveys and/or facilitated workshops  Different levels of the organization may have different perspectives on risks  Include emerging risks  Be wary of risks that are really the absence of controls 15 Identify Assess/ measure Manage/ respond Monitor Report

16 Risk Assessment 16 Best practices in risk assessment include:  Identification of risks against key business objectives  Coordination of risk assessments through interviews, surveys or facilitated workshops to ensure consistency  Use of available information, such as Key Risk Indicators (KRIs), to ensure objectivity Assessments of the adequacy of internal controls must also be objective  Oversight and use of information, such as the results of quality control reviews, are critical

17 Using Risk Assessments 17 Internal Audit assessments are generally used to: Determine the scope and frequency of audits Compare to business line assessments Business Line assessments are used to: Prioritize risks across the company Identify the top risks to the company Identify appropriate responses to risks, as well as areas where the adequacy of controls is too low for the level of risk Drive risk-based monitoring processes Avoid the “black hole” of risk assessment data!

18 Risk Management / Responses 18 Risk responses should be based on assessment of loss frequency and impact  Management actions should be specific to reducing likelihood or impact, depending on which one was assessed as high The most common risk responses include:  Avoid (get out)  Accept/retain (monitor)  Reduce (institute controls)  Transfer or share (partner with someone) Action plans with assigned owners should be developed and monitored by a risk committee Identify Assess/ measure Manage/ respond Monitor Report

19 Risk Reporting Reporting should also follow from risk assessments, with higher risks reported in more depth Emphasis of risk reporting should be on highlighting key risks and recommendations for and status of management action Volumes of detail should be avoided, particularly for board reporting 19 Identify Assess/ measure Manage/ respond Monitor Report Reports should include early indicators and emerging risks Best practices include the development of ERM dashboards that provide a holistic view of risk and thoughtful analysis

Download ppt "Introduction to Enterprise Risk Management (ERM) John P. Behringer McGladrey (Slides Provided by Rebecca Towne, Director, McGladrey)"

Similar presentations

Ads by Google