Implementing an Enterprise Risk Management program Robert Serena April 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Implementing an Enterprise Risk Management program
Robert SerenaApril 2015
2
About the author
Mr. Serena is a Risk Management and Actuarial executive with more than 25 years of experience across the energy, insurance, banking, professional services, and manufacturing industries.
He is an accomplished architect of business frameworks which optimize commercial results, control risk exposure, prevent financial loss, and ensure compliance with regulatory requirements, and has a proven ability to develop and implement strategies, processes, and tools to best identify, assess, and mitigate risks, with strong experience across all risk factors - Strategic, Enterprise, Operational, Market, Credit, Insurable, and Regulatory Compliance.
Areas of technical expertise:
• Insurance: Legal, contractual structure, and pricing considerations of Commercial insurance coverage lines (Property, Commercial General Liability, Workers Compensation, Business Interruption, Professional Liability, Excess Liability, and Reinsurance), and Personal Insurance coverage lines (Life, Annuities, Disability Income, and Health).
• Enterprise Risk Management Frameworks: COSO, ISO 31000, Sarbanes Oxley.
• Financial/Quantitative Analytics: Discounted Cash Flow valuation, Insurance Product pricing, Asset Adequacy testing, Derivative valuation, Financial Planning & Analysis.
• Regulatory Compliance: Insider Trading legislation (Securities & Exchange Act of 1934 (US), Financial Services and Markets Act 2000 (UK)), Anti-Bribery & Corruption legislation (Foreign Corrupt Practices Act (US), UK Bribery Act 2010), Gramm–Leach–Bliley Act (US), and Dodd-Frank.
• Information Risk Management: Medium and large-scale system implementations, Information Security frameworks, Software Development, Records Management, Data Privacy.
• Learning & Development: Developing robust and cost-effective suites of training materials across a range of topical areas, including Health, Safety and Environment concepts, legal and regulatory changes, risk management methodologies, and project management techniques.
Robert Serena, FSA, CPCU, CFA, FRM
3
What is the definition of Enterprise Risk Management?
• Committee of Sponsoring Organizations (COSO) - Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
• International Organization for Standardization (ISO 31000) - A strategic organizational approach that supports the achievement of the institution’s objectives by addressing the full spectrum (reputational, strategic, financial, operational and compliance) of its risks and managing the combined impact as an interrelated set of risks.
• Society of Actuaries - Enterprise risk management (ERM) is the process of coordinated risk management that places a greater emphasis on cooperation among departments to manage the organization’s full range of risks as a whole. ERM offers a framework for effectively managing uncertainty, responding to risk and harnessing opportunities as they arise. Unlike previous risk management practices, the concept of ERM embodies the notion that risk analysis cuts across the entire organization. The goal of ERM is to better understand the shock resistance of the enterprise to its key risks and to better manage enterprise risk exposure to the level desired by senior management.
4
What are the different risk types that impact the “enterprise”?
• Strategic Risk - The risk associated with future business plans and strategies, including plans for entering new business lines, expanding existing services through mergers and acquisitions, enhancing infrastructure, etc.
• Operational Risk - The risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.
• Regulatory Risk - The risk that a change in laws and regulations will materially impact a security, business, sector or market. A change in laws or regulations made by the government or a regulatory body can increase the costs of operating a business, reduce the attractiveness of investment and/or change the competitive landscape.
• Insurable Risk - A risk that meets the ideal criteria for efficient insurance. The concept underlies nearly all insurance decisions. To be insurable, several things must be true:• The insurer must be able to charge a premium high enough to cover not only claims expenses, but also to cover the insurer's expenses.
In other words, the risk cannot be catastrophic, or so large that no insurer could hope to pay for the loss.• The nature of the loss must be definite and financially measurable. That is, there should not be room for argument as to whether or not
payment is due, nor as to what amount the payment should be.• The loss should be random in nature, else the insured may engage in adverse selection (anti-selection).
• Financial (Market) - The risk that the value of a portfolio, either an investment portfolio or a trading portfolio, will decrease due to the change in value of the market risk factors. The four standard market risk factors are stock prices, interest rates, foreign exchange rates, and commodity prices.
• Financial (Credit) - The risk of loss when a counterparty fails to meet a payment obligation, or the risk associated with any single exposure or group of exposures with the potential to produce large enough losses to threaten the firm’s operations, or the risk of loss arising when a sovereign state freezes foreign currency payments (transfer/conversion risk), or when it defaults on its obligations (sovereign risk).
5
What are the benefits of a robust ERM program?
• Strong and scalable platform to identify and pursue strategically important opportunities.
• Integrated and holistic view of all risks that impact the organization.
• Significantly improved reputation with internal and external stakeholders.
• Improved credit ratings and reduced cost of debt and equity capital.
• Effective identification of commercial opportunities and capital deployment.
• Aligns risk appetite and strategy through risk quantification and risk mapping.
• Effectively deal with uncertainty and associated risks and opportunities.
• Increased resiliency in the face of catastrophic events.
• Leverages collaborative “knowledge” to enhance risk response decisions.
• Reduces operational surprises and losses.
How would an ERM program operate in practice?
Board of Directors/Audit Committee
Senior Management of the firm
1st Line of defense 2nd Line of Defense 3rd Line of Defense
Business Units and functional staff
Risk Management Internal Audit
“Own” the risks associated with their activities and execute risk management processes on an operational basis
Designs & coordinates the implementation of the ERM program:• ERM & Project Risk• Compliance Risk• Information Risk• Insurance Risk• Operational
Excellence• HSSE & Business
Continuity/Disaster Recovery
Validates the effectiveness of the ERM program
External Audit
Regulatory Agencies
What determines the maturity of an ERM program?
7Source: The Institute of Risk Management
8
Traditional Risk Management • Purchase insurance to cover risks• Hazard-based risk identification and
controls• Compliance issues addressed
separately• Safety & emergency mgmt handled
separately• “Silo” approach – risk mgmt is not
integrated across the organization• Risk Manager is the insurance buyer
Advanced Risk Management• Greater use of alternative risk
financing techniques• More proactive about
preventing and reducing risks• Integrates claims mgmt,
contracts review, special event RM, insurance and risk transfer techniques
• Cost allocation used for education and accountability
• More collaboration – as departments are willing
• Risk Manager may be the risk owner
Enterprise-wide Risk Management• A wide range of risks are discussed
and reviewed, including reputational, human capital, strategic and operational
• Aligns RM process with strategy and mission
• May include “upside risks” (opportunities)
• Helps manage growth, allocate capital & resources
• Risks are owned by all & mitigated at the department level
• Many risk mitigation & analytical tools available
• Risk Manager is the risk facilitator and leader
Transactional Integrated
Strategic
Risk is bad – focus is on transferring risk
Risk is an expense – focus is on reducing cost-of-risk
Risk is uncertainty – focus is on optimizing risk to achieve goals
How has Risk Management evolved over the past 20 years?
What are the steps in the Risk Management Process?
Develop (or revise) the firm’s set of strategic objectives.
Facilitate interviews and/or workshops with front-line personnel to identify risks to these objectives. Use feedback from interviews/workshops to populate the corporate risk register.
Capture the following attributes in the risk register for each risk event: Risk Description, Risk Type, Risk Owner, Likelihood, Impact, current Controls/Mitigations, Risk Tolerance, Residual Risk.
For all risk events where the residual risk remains greater than the risk tolerance, develop remediation action plans to bring the risk back within limits.
Once all remediation plans have been completed, there are 4 potential courses of action for each risk event:1) Avoid (get out of the activity)2) Accept/Retain (Monitor)3) Reduce (add additional controls)4) Transfer (Partner or buy insurance)
Develop management reporting that provides for timely monitoring and reporting of the firm’s risk profile.
9
Identify
Assess/MeasureRespond
Monitor & Report
10
Risk Estimation – Consider the effect of scale
Corporate level
Business Unit
Department
Functional group
Individual job role
Individual process
Level of risk increases the further up in
the organization one travels – a risk
that occurs at the individual process level is
undoubtedly less material than a risk event that occurs at the
business unit or corporate level
11
How do we get started? (1 of 2)
With ERM programs, there is definitively not a “one size fits all” strategy. The optimal strategy depends on the industry, competitive pressures, regulatory framework, information technology infrastructure, workforce demographics, and a host of other factors. Having said that , it’s always better to view an ERM program implementation in phases – Phase I should be modest in scope, requiring limited resources (time, money, people) and focus on assessing the organization’s most material risk factors. Complexity and greater analytical rigor can be added in later phases.
STEP 1 – Procure buy-in from senior management Develop simple and clear training materials to deliver to the executive team. Where possible, articulate the value proposition for ERM in clear economic terms – increased revenue, reduced
expenses, contingent losses avoided, etc. Once the buy-in is achieved, it’s critical that there be at least one project sponsor for the initiative, and additionally
each risk event has a named owner in the organization. Develop a multi-channel communication plan (e.g. email blasts, town hall meetings, organizational newsletters)
through which the program and its intent will be communicated to employees. Provide employees with a feedback mechanism should they have follow-up questions.
STEP 2 – Assemble a small project team Resource the project team with current employees from other internal groups with a Risk Management focus –
Internal Audit, Regulatory Compliance, Finance, Environmental Health & Safety, HR, etc. Nominate a project director to lead the initiative. The individual doesn’t have to be a CRO, but must have a broad
knowledge of the organization’s business model, product lines, and competitive environment. And he/she must have strong leadership skills and credibility with the executive team.
12
How do we get started? (1 of 2)
STEP 3 – Compile and review any recent internal risk assessment materials performed by other groups (within the last year) There is seldom a need to build an ERM program from scratch – it’s always more efficient to leverage existing work
performed by other groups. Aggregate all of the data and findings from these risk assessments into a normalized risk register format – risk
definition, risk category, likelihood assessment, severity assessment, current state controls and mitigations, risk owner, etc.
Once this data is normalized and tabulated, identify the top 5 existing risks (as measured by residual exposure) and pick a target business segment in which to run the Phase I ERM “pilot”.
STEP 4 – Perform a risk assessment in the target business segment Distribute an online questionnaire to selected individuals in the target business segment – functional leads and their
direct reports. The questionnaire doesn’t need to be long or complex – there are just a few simple questions:
What are the key strategic objectives of the business segment? (Look for consistency with the executive team) What are the top 7 to 10 mission critical operational processes that are required to realize these goals? What are the top 5 risks that could adversely impact these processes? What controls are currently place (the “as-is” state) to help mitigate these risks?
As a follow-on to the questionnaires and to reinforce the findings, chair multiple F2F sessions to gather additional information. Invite the same individuals that were on the distribution list for the questionnaire.
STEP 5 - Identify gaps and formulate a remediation plan Tabulate all of the feedback gathered from the questionnaires and facilitated F2F sessions, combine with findings
from existing risk assessments, and develop a detailed gap analysis on the top 5 key risks. Present the findings to senior management with budget and time estimates for the remediation plan.
13
What elements go into the Total Cost of Risk (TCOR)?
Compensation and ancillary benefits for Risk Management staff members. Direct cash and incentive compensation. Employee benefits. Retirement plan costs – Defined Benefit/Defined Contribution.
Corporate-Level Hedging Programs. Commercial insurance premiums. Financial transaction costs – hedging Forex and Interest Rate exposures. Retained (within the policy deductible) or self-insured claims. Risk Control costs – Health & Safety inspections, risk-reduction techniques, etc. Development and implementation of training programs.
Legal and Regulatory Compliance. Financial penalties due to failure to perform on a contract. Unanticipated legal expenses – Responding to subpoenas, regulatory inquiries, non-standard advice, guidance on emerging regulation, etc. Explicit Regulatory fines.
Miscellaneous Costs Cost of 3rd-party service providers – insurance brokers, consultants on a project, external audit firms, Information Security assessments, etc. Infrastructure development costs – Risk databases, Management Information Reporting, etc.
14
By the numbers – What does ERM mean in economic terms?Step 1 – The Financials
+Step 2 – The Risk factors
+Step 3 – Black Box
=
=Profitability Distribution
15
By the numbers – What does ERM mean in economic terms?
This is commonly referred to as the “median” of the normal distribution. In the context of a corporation’s financial health, this could also be interpreted as the “expected case” or P50 (50th percentile) in a forward-looking financial plan
The economic results/outcomes in this part of the distribution arise from catastrophic risk events that are commonly referred to as “tail events” or “black swan events”. These events, by their very nature, are often unexpected and can have dramatic impacts on the affected parties…organizations, communities, and individual citizens.
-200,000,000 -150,000,000 -100,000,000 -50,000,000 0 50,000,000 100,000,000 150,000,000 200,000,0000
200
400
600
800
1000
1200
1400
1600
1800
11118
681
17131664
686
120
Net worth at end of 5-year horizon
Projected change in economic position
16
What are the critical success factors in building a successful ERM program?
“Tone from the Top” - must be present and strongly communicated throughout the organization.
Gain buy-in from stakeholders – Both internal and external. Transparency is key!
No “one size fits all” ERM program - The optimal design of a program is tightly linked with the unique attributes of each firm – corporate culture, strategic objectives, industry, operational complexity, competitive landscape, etc.
An ERM program is a dynamic, ongoing exercise – Not a simple project with a defined beginning and end date.
Product Development/M&A activities – Involving the ERM group in the early stages will serve to dramatically increase the probability of success of any new product rollouts or prospective M&A targets.
Staffing Considerations - Several of the key drivers of ERM program success – deep understanding of the firm’s business model and competitive landscape, familiarity with the firm’s culture, etc are most likely to be found among existing staff in other functional groups.
Embed Risk Management objectives into incentive schemes.
Risk Appetite and Risk Tolerance - Must be clearly defined and measurable.
17
APPENDICES
18
Appendix 1One possible structure for an ERM group (graphic)
Appendix 1 - ERM – Organizational model
Board of Directors
CEO/CFO/COO
Chief Risk Officer
Head of ERM and Project
Risk
Senior analyst
Senior Analyst
Junior Analyst
Junior Analyst
Head of Compliance
Risk
Senior Analyst
Senior Analyst
Junior Analyst
Junior Analyst
Head of Information
Risk
Senior Analyst
Senior Analyst
Junior Analyst
Junior Analyst
Head of Insurance Risk Management
Senor Analyst
Senior Analyst
Junior Analyst
Junior Analyst
Head of Operational Excellence
Senior Analyst
Senior Analyst
Junior Analyst
Junior Analyst
Head of HSSE and BC/DR
Senior Analyst
Senior Analyst
Junior Analyst
Junior Analyst
21
19
Appendix 1One possible structure for an ERM group
• CHIEF RISK OFFICER• Head of Transaction risk
• Market Risk• Credit Risk• Trade Control• Quantitative analytics
• Head of Compliance Risk• Policy development – Develops corporate governance policies• Compliance Monitoring – Monitors employees and vendors against corporate policies and SLAs• Regulatory Affairs – monitors emerging regulation.• Legal risk – monitors contractual agreements and related risks• Investigations
• Head of Information Risk• Risk oversight of s/w development projects• Technology asset management• Risk assessments• Awareness training• Records management
• Head of Insurance Risk Management• Commercial insurance procurement• Broker relationship management• Claims management• Coordinates with HSSE group on site visits and implementation of risk control techniques
• Head of Operational Excellence• SOX-related operational risks• Manage Delegated Authorities framework• Non-Sox, general operational risks• Integration and risk assessment of new commercial activities• Quality assurance/Quality management• All risks around large CAPEX projects/acquisitions
• Head of HSSE and Business Continuity/Disaster Recovery• Employee health & wellness• Adherence to environmental regulation• Management of backup and contingency sites• Asset decommissioning
20
Appendix 2What are the key personal attributes/requirements for a Chief Risk Officer (CRO)?
• Overall Mission - At a macro level, the role of a Risk Management group, and particularly the CRO, is to simultaneously sit outside of the business and be independent and objective, but also be “of the business” – understand at an intimate level how the firm generates revenue, the strategic & competitive landscape that confronts the firm, the culture of the firm, the regulatory landscape, etc.
• Strong Educational Background - Highly analytical and quantitative discipline – mathematics, statistics, engineering, quantitative finance, hard sciences, etc.
• Broad functional experience - Human Resources, Technology/IT, Environmental Health & Safety (HSSE), Accounting & Finance, Sales & Marketing, Procurement, Operations, Ethics & Compliance, Legal, Public Relations, Regulatory Affairs, Product Development, etc.
• Intellectual Curiosity - Ability to scale from the high-level, “macro” view to the very detailed, “micro” view and back again with great agility.
• High levels of self-confidence, decisiveness, and assertiveness - Must be very comfortable in making tough decisions, often in the absence of complete information.
• Strong communication skills – Must possess a strong ability to distill complex and technical information and topics into simple to understand concepts and actionable guidance.
• Strong leadership skills - Tough and demanding, but also fair and invested in the success of direct reports, with an unyielding moral compass.
• Visionary and diplomat - Risk Management must be more than simply a paycheck. All RM roles are very challenging and demanding even on the best of days. The CRO should strongly believe that there is a broader social and fiduciary purpose to their role, well beyond the stated requirements of their specific job.
21
Appendix 3Risk Management Taxonomy (1 of 3 )
• Risk-Adjusted Return on Capital (RAROC) - A financial measurement that allows analysts to take into account the effect of risk when comparing profitability and performance across various businesses. It is calculated by dividing the risk adjusted return (net income - expected loss from risk + income from capital) by the economic capital. Higher risk projects tend to bring higher rewards.
• Risk Control – The activity of applying a range of Administrative, Technical, and Physical controls to reduce the risks to an organization’s assets.
• Risk Culture - The system of values and behaviors present in an organization that shapes risk decisions of management and employees. One element of risk culture is a common understanding of an organization and its business purpose. Employees must also understand that risk and compliance rules apply to everyone as they work towards business goals. This understanding can ensure a company “does the right thing” and is a fundamental part of good ERM practices.
• Risk Capacity - A firm’s ability to identify their financial resources, expertise, and operating mandate to determine how much risk they are able to take.
• Risk Owner - A person or entity that has been given the authority to manage a particular risk and is accountable for doing so.
• Key Risk Indicators (KRI) - A measure used in management to indicate how risky an activity is. It differs from a Key Performance Indicator (KPI) in that the latter is meant as a measure of how well something is being done while the former is an indicator of the possibility of future adverse impact.
• Risk Criteria - The terms of reference against which the significance of a risk is evaluated. Risk criteria are based on organizational objectives and external and internal context. Risk criteria can be derived from standards, laws, policies and other requirements.
22
Appendix 3Risk Management Taxonomy (2 of 3)
• Security Controls - The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.
• Confidentiality - Assurance that information is shared only among authorized persons or organizations. Breaches of Confidentiality can occur when data is not handled in a manner adequate to safeguard the confidentiality of the information concerned. Such disclosure can take place by word of mouth, by printing, copying, e-mailing or creating documents and other data etc. The classification of the information should determine it’s confidentiality and hence the appropriate safeguards.
• Integrity - Assurance that the information is authentic and complete. Ensuring that information can be relied upon to be sufficiently accurate for its purpose. The term Integrity is used frequently when considering Information Security as it is represents one of the primary indicators of security (or lack of it). The integrity of data is not only whether the data is 'correct', but whether it can be trusted and relied upon. For example, making copies (say by e-mailing a file) of a sensitive document, threatens both confidentiality and the integrity of the information.
• Availability - Assurance that the systems responsible for delivering, storing and processing information are accessible when needed, by those who need them.
• Pure risk – A Risk event that only allows for losses with no chance of a gain .
• Speculative risk – A Risk Event that allows for either a gain or loss.
• Black Swan Events – An event that lies outside the realm of regular expectations, because nothing in the past can convincingly point to its possibility. Events of this type often result in catastrophic impacts, whether they be economic, environmental, or reputational.
23
Appendix 3Risk Management Taxonomy (3 of 3)
• Risk Assessment - The identification, evaluation, and estimation of the levels of risks involved in a situation, their comparison against benchmarks or standards, and determination of an acceptable level of risk.
• Risk Appetite – The amount of risk that an organization is willing to seek or accept in the pursuit of its long-term objectives.
• Risk Tolerance – The boundaries of risk beyond which a given organization is not prepared to venture in pursuit of its long-term objectives.
• Qualitative Risk Assessment - A collaborative process of assigning relative values to assets, assessing their risk exposure, and estimating the cost of controlling the risk. Differs from quantitative risk analysis in that it utilizes relative measures and approximate costs rather than precise valuation and cost determination.
• Quantitative Risk Assessment - A process for assigning a numeric value to the probability of loss based on known risks and available, objective data. Used to determine potential direct and indirect costs to the company based on values assigned to company assets and their exposure to risk. For example, the cost of replacing an asset, the cost of lost productivity, or the cost of diminished brand reputation.
• Diversifiable risks - Risks whose adverse consequences can be mitigated simply by having a diversified portfolio of risk exposures.
• Non-diversifiable risks - Risks, shared by all persons or organizations, that cannot be mitigated by adding exposures to the portfolio.
Appendix 4Sample Risk Estimation Scales – Probability of event/Likelihood
24
Level Descriptor Description Indicative Frequency1 Very Rare Heard of
something like this occurring elsewhere
Once every 30 years.
2 Unlikely Low likelihood of the event happening. The event does occur somewhere from time to time.
Once every 3 to 10 years.
3 Possible Medium likelihood of the event happening. The event has occurred at least once in your career.
Once every 3 years.
4 Likely The event has occurred several times or more in your career.
Once every year or less.
5 Almost Certain High likelihood of the event happening. The event has occurred in the last 6 months.
More than once per year.
Appendix 4 Sample Risk Estimation Scales – Economic Impact of Event
25
Level Descriptor Definition1 Very Low < $100 million
2 Low >= $100 million and <= $250 million
3 Moderate >= $250 million and <= $1 billion
4 High >= $1 billion and <= $5 billion
5 Very high > $5 billion
26
Appendix 4 Sample Risk Register (with linkage to strategic objectives)
27
Appendix 4 Sample Risk Heatmap (after the application of controls)
1 - Very Low 2 - Low 3 - Moderate 4 - High 5 - Very high1 - Very rare2 - Unlikely3 - Possible4 - Likely5 - Almost Certain
MINORMODERATESIGNIFICANTCATASTROPHIC
SEVERITY SCALE
Like
lihoo
d Sc
ale
28
Appendix 5 (1 of 2)Sample Objective set with linkage to risk appetite/tolerance
29
Appendix 5 (2 of 2)Sample Objective set with linkage to risk appetite/tolerance
Related Documents
