© Grant Thornton
Enterprise-Wide Risk Management
Top 10 Things Everyone should know about Enterprise Risk Management
© Grant Thornton 2
Contents
#1 – What is Enterprise Risk Management?
#2 – The Value Proposition – Why do this?
#3 – ERM – Best Practices – International
#4 – An Example of ERM Methodology
#5 – Identify Risks
#6 – Analyze Risks
#7 – Evaluate Risks
#8 – ERM Organization
#9 – Where is the industry today?
#10 – Best Practices and Lessons Learned
© Grant Thornton 3
#1 - What is Enterprise Risk Management? Taken from "COSO - ERM Integrated Framework"
• Takes an entity-level portfolio view of risk• A process, ongoing and flowing through an entity• Effected by people at every level of the organization• Applied in strategy setting• Designed to identify potential events that, if they occur, will
affect the entity• Designed to help an organization manage risk within its risk
appetite• Provides reasonable assurance to an entity's management
and board of directors as to accomplishment of business objectives
© Grant Thornton 4
#2 - The Value Proposition – Why do this?
Taken from "COSO - ERM Integrated Framework"
• Develops a strategic, firm-wide approach to risk management and mitigation using all the available tools: derivatives, insurance, internal controls and strategic action
• Focuses management attention on the truly important risks – risks with potential to significantly impact earnings or even endanger firm survival
• Integrates risk management into critical decision-making processes, such as strategic planning, to ensure a link between risk-adjusted performance measurement tools (e.g. Economic Capital RAROC) and strategic decision-making (i.e. Budget planning, Capex, M&A)
• Identifies the risks inherent in current strategy and business model before the competition to provide sustainable competitive advantage
© Grant Thornton 5
• Lowers cost of capital by reducing cash flow volatility and increases confidence of delivering financial outcomes
• Determines risk appetite of the firm in context of investor expectations
• Financial resources and communicates this effectively to all shareholders (i.e. Board, investors, analysts, rating agencies)
The Value Proposition for Pub Co.s – Why do this?
© Grant Thornton 6
#3 - ERM - Best Practices - International
Australia/New Zealand AZ4360 and HB436
Canada CoCo
UK Combined Code
South Africa King I and II
Banking - Worldwide Basel I and II
India Clause 49
© Grant Thornton 7
COSO-ERM Framework Taken from "COSO - ERM Integrated Framework"
Entity
-Lev
elDiv
isio
n Busin
ess Uni
tSu
bsid
iary
Monitoring
Information & Communication
Control Activities
Risk Assessment
Internal Environment
Compliance
Reporting
Operations
Strategic
Risk Response
Event Identification
Objective Setting
COSO – ERM FrameworkComparison to COSO•4 objectives vs. 3 (strategy is added)•reporting is more robust•internal environment >control environment•risk identification more robust•separate section for risk response
© Grant Thornton 8
COSO – ERM Process Flow
Internal Environment Risk Management Philosophy – Risk Culture – Board of Directors
Integrity and Ethical Values – Commitment to CompetenceManagement’s Philosophy and Operating Style - Risk Appetite – Organizational Structure
Assignment of Authority and Responsibility – Human Resource Policies and Practices
Objective SettingStrategic Objectives – Related Objectives – Selected Objectives – Risk Appetite – Risk Tolerance
Event Identification Events – Factors Influencing Strategy and Objectives – Methodologies and Techniques
Event InterdependenciesEvent Categories – Risks and Opportunities
Risk Assessment Inherent and Residual Risk – Likelihood and Impact
Methodologies and Techniques – Correlation
Risk ResponseIdentify Risk responses – Evaluate Possible Risk Responses – Select Responses – Portfolio View
Information & CommunicationInformation – Strategic and Integrated Systems – Communication
Monitoring Separate Evaluations – Ongoing Evaluations
Control ActivitiesIntegration with Risk Response – Types of Control Activities – General Controls
Application Controls – Entity Specific
© Grant Thornton 9
• Establishes a philosophy regarding risk management. It recognizes that unexpected as well as expected events may occur
• Establishes the entity’s risk culture
• Considers all other aspects of how the organization’s actions may affect its risk culture
Internal Environment Taken from "COSO - ERM Integrated Framework"
© Grant Thornton 10
• Is applied when management considers risks strategy in the setting of objectives
• Forms the risk appetite of the entity – a high-level view of how much risk management and the board are willing to accept
• Risk tolerance, the acceptable level of variation around objectives, is aligned with risk appetite
Objective Setting Taken from "COSO - ERM Integrated Framework"
© Grant Thornton 11
• Differentiates risks and opportunities
• Events that may have a negative impact represent risks
• Events that may have a positive impact represent natural offsets (opportunities), which management channels back to strategy setting
Event Identification Taken from "COSO - ERM Integrated Framework"
© Grant Thornton 12
• Involves identifying those incidents, occurring internally or externally, that could affect strategy and achievement of objectives
• Addresses how internal and external factors combine and interact to influence the risk profile.
Event Identification Taken from "COSO - ERM Integrated Framework"
© Grant Thornton 13
• Allows an entity to understand the extent to which potential events might impact objectives
• Assesses risks from two perspectives: - Likelihood- Impact
• Is used to assess risks and is normally also used to measure the related objectives
Risk Assessment Taken from "COSO - ERM Integrated Framework"
© Grant Thornton 14
• Employs a combination of both qualitative and quantitative risk assessment methodologies
• Relates time horizons to objective horizons
• Assesses risk on both an inherent and a residual basis
Risk Assessment Taken from "COSO - ERM Integrated Framework"
© Grant Thornton 15
• Identifies and evaluates possible responses to risk
• Evaluates options in relation to entity’s risk appetite, cost vs. benefit of potential risk responses, and degree to which a response will reduce impact and/or likelihood
• Selects and executes response based on evaluation of the portfolio of risks and responses
Risk Response Taken from "COSO - ERM Integrated Framework"
© Grant Thornton 16
• Policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out
• Occur throughout the organization, at all levels and at all functions
• Include application and general information technology controls
Control Activities Taken from "COSO - ERM Integrated Framework"
© Grant Thornton 17
• Management identifies, captures and communicates pertinent information in a form and timeframe that enables people to carry out their responsibilities
• Communication occurs in a broader sense, flowing down, across and up the organization
Information & Communication Taken from "COSO - ERM Integrated Framework"
© Grant Thornton 18
Effectiveness of the other ERM components is monitored through:
• Ongoing monitoring activities• Separate evaluations• A combination of the two
Monitoring Taken from "COSO - ERM Integrated Framework"
© Grant Thornton 19
• Expands and elaborates on elements of internal control as set out in COSO’s “control framework”
• Includes objective setting as a separate component. Objectives are a “prerequisite” for internal control
• Expands the control framework’s “Financial Reporting” and “Risk Assessment”
Relationship to Internal Control – Integrated Framework
© Grant Thornton 20
#4 - An Example of ERM Methodology
Identify Risks
Gain understanding of business model and establish context
Analyze risks Evaluate risks Treat risks Monitor risks
• Co. Strategy & objectives• Control Environment • ERM overall plan• Understand internal risk
capabilities• Vision/mission of Co.• Establish risk appetite/tolerances• Discuss different risk treatment
strategies
• Identify/ interview risk process owners
• Identify risk universe/terms• Identify key risk events • Link risks to strategy• ID processes/subprocesses• Link risks to proc/sub.
• Significance of risks• Likelihood-inherent• Likelihood-residual• Roll-up of risks• Prioritized summary• Report
• Compare against risk tolerances
• Assess different treatment options
• Decide optimal option• Assign responsibility• Ensure resources available• Bridge risk capability gaps • Treat risks• Analyze & evaluate residual
risks• Report
• Risk monitoring• Internal audit –assurance
(see separate flow)
• Questionnaires,• CSA• FCSA• Brainstorming
• Scatter graph• Heat map, charts, • Communications• CSA
• Dashboards
• Voting technology• Compliance software
• Voting technology• Risk repository software• Templates
• Scenario modeling software • Monitoring software• Extraction software• Audit workpaper software
Te
chn
iqu
es
Te
chn
olo
gy
Me
tho
do
log
yD
eliv
era
ble
s
• Strategy linked to risk appetite• Overall ERM plan by year• Report on existing risk capabilities• Risk appetite statement/tolerances-
established• Risk management
charter/Committee• Establish common business
language
• Risk questionnaire• List of people to interview• Risk universe/terms• Processes/sub-processes• Risks linked to processes• Risks linked to strategy
• Prioritized risk report with and without mitigation
• Discussion• Review documents• Facilitated workshops
• Cost vs. benefit analysis (avoid, accept, mitigate, outsource)
• CSA• External exports (e.g.,
actuaries)
• CSA
• Risk report-post treatment
Te
chn
iqu
es
Te
chn
olo
gy
Me
tho
do
log
yD
elive
rable
s
• Report an on-going risk monitoring
• Key metrics• Tie into performance
management system
© Grant Thornton 21
Gain UnderstandingRelating Vision, Mission, Strategic/Business Objectives and Appetite
TargetA.
B.
C. Ensure quality assurance process is 99% defect free
D. Ensure accident rate is reduced by 10%
E.
Tolerances-Acceptable RangeA.
B.
C. Willing to accept up to 3% deviation
D. Willing to accept no deviation
E.
Vision: To help drive advancement of educationMission: To improve the mathematics skills of elementary & secondary students, regardless of curriculum & teaching styles
Strategic Objectives
A. Enhance shareholder value: Consistently grow operating earnings (currently at 25%)
B. Market share objective: Penetrate both top 1000 school districts + 40% of next tier 1500 school districts
C. Reputation objective: Be recognized by educators and institutions as significant contributor to education in U.S.
D. People objective: Achieve ranking as one of top 50 companies to work for
E. Integrity objective: Always act with integrity when dealing with employees, customers, vendors or other parties
Related Objectives
A.
B. Install customer service (reporting) information system
C. Ensure quality assurance process
D. Ensure internal accident rate is reduced by 10% (compliance)
E.
Risk Appetite
A.
- Accepts consumption of capital for need and information technology projects
- Will not accept impairment of reputation through significant quality defects
- Will not accept any deaths from internal accidents
B. C.D. E.
Ris
k T
ole
ran
ces Measure
A.
B.
C. Be recognized by educators and institutions as significant contributor to education in U.S.
D. Ensure accident rate is reduced by 10%
E.
Strategy
• Expand customer base retail channels• Expand product line-reading based product• Foreign languages – penetrate international
markets
© Grant Thornton 22
Identify RisksRisk Universe
Business Risk Model Definitions - Example
Str
ateg
ic R
isks 1. Industry*
2. Economy3. Political change
6. Market share7. Reputation8. Brand equity*
Op
erat
ion
s R
isks
Process Risks11. Customer satisfaction12. Product failure*13. Supply chain14. Sourcing15. Supplier concentration16. Outsourcing17. Production Cycle18. Catastrophic loss19. Process execution
Compliance Risks20. Policies and procedures21. Environmental22. Contract23. Legal and regulatory*
People Risks24. Human Resources25. Health and safety*26. Authority27. Integrity28. Leadership/Empowerment29. Communications30. Culture31. Performance incentive32. Knowledge capital
Fin
ance
Ris
ks
Financial Risks40. Accounting41. Budgeting42. Taxation
Operational Risks43. Pricing44. Performance measurement45. Portfolio
Technological Risks46. Systems infrastructure47. Systems access48. Systems availability49. Data integrity50. Date relevance
Treasury Risks33. Cash flow/liquidity34. Capital availability35. Interest rate36. Foreign exchange
Credit Risks37. Credit capacity38. Credit concentration39. Credit default
4. Competitor5. Consumer preference
External Risks9. Strategic focus10. Investor confidence
Internal Risks
© Grant Thornton 23
#5 - Identify RisksRisk Universe Terms
8. Brand equity– Failure to establish and maintain brand awareness, positioning, and strength may impair Company’s ability to execute strategic growth objectives
Business Risk Model Definitions - Example
Str
ateg
ic R
isks
Op
erat
ion
s R
isks
Info
rmat
ion
Ris
ksF
inan
ce R
isks
Financial Risks Operational Risks Technological Risks
Treasury Risks Credit Risks
External Risks Internal Risks
1. Industry– Changes in the education or technology industries may require alteration in Company’s business model and potentially threaten long term viability
Process Risks12.Product failure– failure of
product to operate as intended may result in higher than acceptable returns or warranty claims, lack of repeat business and damage to brand equity
Compliance Risks23.Legal and regulatory– failure
to comply with federal, state or local regulations may result in fees, penalties, criminal or civil claims, or damage to the company’s reputation
People Risks25.Health and safety– failure to
protect health and safety of employees and third parties on company property, may result in claims, fees, low morale, or reduced productivity
© Grant Thornton 24
Linking of Risks to Strategic Objectives
Earnings Growth Market Share Reputation People Integrity
1. Industry X X
2. Economy
3. Political change
4. Competitor
5. Consumer preference
6. Market share
7. Reputation
8. Brand equity X X X
9. Strategic focus
10. Investor confidence
11. Customer satisfaction
12. Product failure X X X
13. Supply chain
14. Sourcing
15. Supplier concentration
16. Outsourcing
17. Production cycle
18. Catastrophic loss
RisksStrategic Objectives
Identify Risks
© Grant Thornton 25
Identify RisksLink Risks to Business Processes
ABC Company Industry Brand Equity
Product Failure
Legal & Regulatory
Health & Safety
Finance (Process)
M&A (Sub Process)
X
General Counsel (Process)
Environmental (Sub Process) X X
Administration (Process)
HR (Sub Process) X
Risk Management (Process)
Insurance (Sub Process)
Strategic Planning (Sub Process) X
X
Operations (Process)
Production (Sub Process)
Quality Assurance (Sub Process) X
X
X
Customer Service (Process)
Distribution/ Warranty & Repairs (Sub Process) X X
New Product Development (Process)
Research (Sub Process) X X
© Grant Thornton 26
#6 - Analyze RisksAssessment of Risks for Impact and Likelihood of Occurrence
Scales for Impact: 1 Not Significant – Neither a strategic nor financial impact3 Slightly Significant – Relatively minor strategic and/or financial impact (one-week’s earnings)
e.g., minor legal issues5 Moderately Significant – Noticeable challenges to achieving strategic objectives and/or
financial targets (one-month’s earnings) e.g., serious breach of regulations with investigational authorities
7 Significant – Difficult to achieve strategic objectives (possibly requiring a strategic change) and/or material financial impact (one-quarter’s earnings) e.g., major breach of regulation/major litigation
9 Highly Significant – Strategic objectives cannot be achieved, resulting in significant financial impact (one-year’s earnings) and questions about future viability- e.g., significant prosecution and fines – very significant litigation including class action lawsuits
Scales for Likelihood (assess likelihood with and without mitigation):1 Never - will not occur in specified time period (<5%)3 Unlikely - not likely to occur in specified time period (<25%)5 Possible – may occur in specified time period (<50%)7 Likely – more likely than not to occur in specified time period (<50%)9 Definitely – Already occurring or almost certainly will occur in specified time period (>90%)
© Grant Thornton 27
#7 - Evaluate RisksRisk Appetite/Tolerance
Scales for Tolerance:
Very Low Tolerance – Management is not willing to accept more than a nominal level of risk. Adverse risks are intolerable whatever benefits the activity will bring and risk reduction measures are essential – whatever their cost.
Moderate Tolerance – Management will accept a moderate level of risk. Costs and benefits are taken into account and opportunities balanced against potential adverse consequences.
Extremely High Tolerance – Management will accept an extremely high level of risk. Positive or negative risks are negligible or so small that no risk treatment measures are needed.
© Grant Thornton 28
Evaluate RisksEvaluate Risks Against Risk Tolerances
Impact Likelihood Tolerance Analysis
1 Industry 6.6 4.0 Moderate • Industry changes would have moderate to high impact as the Company’s product may have to undergo significant changes.
• Technological changes are inherent with industry, hence ABC Company’s likelihood and tolerance are both moderate
8 Brand Equity
7.4 4.0 Low • Protecting ABC Company’s brand is paramount for future growth and success; hence high impact and low tolerance.
• High quality assurance and ongoing R&D result in low likelihood
12 Product Failure
7.8 3.8 Low • High quality products and performance are very important to the ABC Company; hence high impact and low tolerance.
• Company’s strong quality control helps keep likelihood low (good audit candidate)
23 Legal & Regulatory
6.6 3.4 Low • Changes in legal and regulations could have a moderately high impact on the company
• As these changes are infrequent, ABC Company is successful in managing these changes to low tolerance level
25 Health & Safety
6.4 3.2 Low • Considering the high value placed on employees, Company has a low tolerance to health & safety risks which could have a moderate impact
• The Company has an effective health & safety program, which has helped the likelihood of this risk remain low
© Grant Thornton 29
Impact vs. Probability
Control
Share Mitigate & Control
Accept
High Risk
Medium Risk
Medium Risk
Low Risk
Low
High
High
IMPACT
PROBABILITY
© Grant Thornton 30
Example: Call Center Risk Assessment
Low
High
High
IMPACT
PROBABILITY
High Risk
Medium Risk
Medium Risk
Low Risk
• Loss of phones• Loss of computers
• Credit risk• Customer has a long wait• Customer can’t get through• Customer can’t get answers
• Entry errors • Equipment obsolescence• Repeat calls for same problem
• Fraud• Lost transactions• Employee morale
© Grant Thornton 31
Treat Risks
Accept
Reduce
Transfer
Avoid
Not Core Core Not
Manage ManageConsistent ExceedsHigh
Far Exceeds
Choices
Risk to Company Strategy
Management Believes It Can
Effectively Risk Impact to Company Tolerance
© Grant Thornton 32
Monitor RisksRisk Monitoring Internal Audit Program
Reconfirm that controls are good in this area – analyze reports of safety issues.
• General counsel• HR
Low2.820.483.26.4Health & Safety
Discuss with general counsel pending regulatory changes.
• General counselLow3.422.443.46.6Legal & Regulatory
Review business controls over quality assurance process & ongoing R&D levels – KPI.
• Quality assurance• Distribution /
fwarranty & repairs• NPD
Low2.829.604.07.4Brand Equity
Review controls over quality control and analyze customer returns. Review controls over New Product Development.
• Production• Q&A• Customer Service• NPD
Low2.829.643.87.8Product Failure
Review business controls over strategy setting process. Ensure S, W, O, T have considered impact of industry/technology changes.
• Strategy• Mergers &
Acquisitions
Moderate4.026.404.06.6Industry
Ris
k
Impac
tLi
kelihood
Sig
nifi
cance
Lik
elihood
Tole
rance
Ris
k
Tre
atm
ent
Busi
ness
Pro
cess
es
IA P
rogra
m
© Grant Thornton 33
Key Concepts in ERM Framework
• Sustainability
• Interconnectivity
• Transparency
© Grant Thornton 34
#8 - ERM OrganizationTaken from IIA presentation "Applying COSO - ERM Integrated Framework"
ERM DirectorERM
Director
Vice President andChief Risk Officer
Vice President andChief Risk Officer
Corporate Credit Risk Manager
Corporate Credit Risk Manager
Insurance Risk Manager
Insurance Risk Manager
ERMManager
ERMManager
ERMManager
ERMManager
StaffStaff StaffStaffStaffStaff
FES Commodity
Risk Mg.Director
FES Commodity
Risk Mg.Director
© Grant Thornton 35
Enterprise Risk ManagementBest Practices – For Internal Audit's Role
Core Internal Roles in Regard to ERM• Giving assurance on the risk management processes• Giving assurance that risks are correctly evaluated• Evaluating the reporting of key risks• Reviewing the management of key risks
Legitimate Internal Audit Roles with Safeguards• Facilitating identification and evaluation of risks• Coaching management in responding to risks• Coordinating ERM activities• Consolidated reporting on risks• Maintaining and developing the ERM framework• Championing establishment of ERM• Developing RM strategy for board approval
Roles Internal Audit Should Not Undertake• Setting the risk appetite• Imposing risk management processes• Management assurance on risks• Taking decisions on risk responses• Implementing risk responses on management's behalf• Accountability for risk management
© Grant Thornton 36
Basic, Midpoint and Advanced ERM
Basic Elements of ERM: Identification, Infrastructure, and
Process
Midpoint Elements of ERM
Identification, Infrastructure, and
Process
Advanced ERM: Integration with
Corporate Practices
•Determine risk treatment strategies•Establish a business risk inventory•Align BU risks with objectives•Create common language for risks, control activities and monitoring efforts•Communicate expectations for risk taking to senior managers
•All the basic elements•Quantify key risks to best extent possible •Identify key metrics to report on risk•Create risk policy and procedure manual•Analyze risks' root cause and impact•Integrate effects of risk types
•All basic and midpoint•Strategic planning•Annual budget process•Stakeholder communications•Management scorecards•Remuneration
© Grant Thornton 37
Where is the Industry Today?
• Pre 2003 – No external drivers for ERM
• Regulatory compliance for public companies is changing that
© Grant Thornton 38
#9 - Where is the Industry Today?
Stats from a Mercer Oliver Wyman Survey on ERM
• 90% of companies getting ready to implement ERM
• Only 11% have completed the implementation• 35% have formally trained executives and
business line managers to assess the probability of various types of risk
• 55% don't have a member of senior management with explicit responsibilities to manage risk
© Grant Thornton 39
#10 - Best Practices and Lessons Learned
• Establish an ERM framework including a Risk Management Committee and Charter
• Identify a risk champion and make sure he/she has active support from the CEO
• Understand that ERM is a journey and not a project• Provide a holistic definition of business risk• Include consultants but do not let them drive ERM• Don’t underestimate the impact of existing culture• Don’t undersell ERM as a business risk assessment• Don’t implement ERM as a part time job• Don’t bite off more than you can initially chew – need to show tangible benefits
all along
© Grant Thornton 40
Real Life Experiences