4. am track 3 - deloitte - iia presentation 2012-05-18_final

The New York Chapter of the Institute of Internal Audit - 39th Annual Audit Seminar

May 18, 2012

Patchin Curtis, DirectorMichele Crish, Senior ManagerMichael Schor, Senior Manager

Enterprise Risk Management for Internal Auditors

Copyright © 2012 Deloitte Development LLC. All rights reserved.1

Contents

Defining Risk and Risk Management

State of Enterprise Risk Management (ERM)

Risk Management Framework

Role of Internal Audit – A Discussion

Leading Practices and Insights from Deloitte’s Global Risk Survey

Questions and Answers


Risk management in the news

“A bank in which every employee understands his or her responsibility for managing risk is likely to be more sound than a bank in which risk management is always seen as someone else's responsibility. While risk management starts at the business-line level, a well-run bank also has in place an effective program for enterprise-wide risk management that is supported by strong internal controls.”- Sara Raskin, Federal Reserve Bank Governor, 2011

“Given the central role of effective, firmwide risk management in maintaining strong financial institutions, it is clear that supervisors must redouble their efforts to help organizations improve their risk-management practices…We are also considering the need for additional or revised supervisory guidance regarding various aspects of risk management, including further emphasis on the need for an enterprise-wide perspective when assessing risk” -Ben Bernanke, US Federal Reserve Bank Chairman, 2008

“A fundamental shortcoming is the wide disparity between the rapid pace of financial innovation and the risk management infrastructure on which this innovation was built…. historic or statistical measures of risk and exposure, such as value-at-risk, past loss experiences and name concentration in the traditional banking book have proved inadequate.”- Nout Wellink , BIS Chairman, 2008

“Strong risk management and robust financial regulation are the bedrock of a stable financial system”-Hugo Banziger, Deutsche Bank’s Chief Risk Officer and a Member of the Management Board, 2010

“I am fully convinced that going forward, continued improvement of risk management by banks, despite their size, will not only impact on their behavior but also their performance.”-Liu Mingkang, Chairman, China Banking Regulatory Commission, 2004

Defining Risk and Risk Management


Unrewarded Risk:

Nothing is gained from taking the risk

Relates to risk areas such as regulatory compliance

Rewarded Risk:

Provides a premium ifmanaged well

Relates to strategy and business decisions,

where value is created

Focusing on rewarded risk enables continued creation and preservation of value, even in turbulent times.

Risk

Risk Intelligence addresses the risks and rewards of value creation

Risk does not just relate to events that cause damage to the business - consider risk that applies to value creation

If risk associated with value creation is not properly managed, a company may not reap potential rewards

A company’s leadership team must understand the company’s risk and reward profile

Neglecting compliance could result in business termination

If companies avoid too many risks, they will forgo associated rewards

Focus of Deloitte‘s approach

Defining riskRisk is the potential for loss or harm — or the diminished opportunity for gain — that can adversely affect the achievement of an organization’s objectives, as defined by our Risk

Intelligence approach


Defining risk management

“A process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its appetite, to provide reasonable assurance regarding the achievement of entity objectives.”*

*Source: Committee of Sponsoring Organization of the Treadway Commission – COSO

A leading definition for Enterprise Risk Management is:

A process for providing a risk adjusted view of the achievability of enterprise objectives

A means to enhance informed decision making and risk taking

An aggregated portfolio view of risks and vulnerabilities and their potential interactions

A methodology that supports accountability for risk across the organization

A substitute for management’s judgment A bureaucratic exercise that is isolated from the

business units A guarantee of a zero risk environment

ERM IS ERM IS NOT


Role of risk management evolves

Traditional View

View on managing single risk factors / single impact events within various organizational silos

Measure risk and ensure that exposure concentrations are contained within pre-specified (arbitrary) limits

Performance measured on ex-post basis in Return on Assets (ROA) or contribution terms. Business Unit Return on Equity (ROE), if measured, based on simply equity allocations

Institution’s overall capital ratio Regulatory capital

Evolving View

View on managing risk enterprise-wide Measure risk, allocate capital based on risk, and measure performance relative to the cost of risk

(economic capital) Clarify risk/return economics for line management, and incorporate into pricing and customer

profitability Risk adjusted performance for business units, customers and portfolios utilize the same approach Greater link between CFO and Chief Risk Officer Evolving risk management capabilities is to build upon an institution’s strengths and existing

capabilities

Busi

ness

Ris

k

Com

plia

nce

Cou

ntry

Ris

k

Ope

ratio

nal R

isk

Cre

dit R

isk

Liqu

idity

Ris

k

Rep

utat

ion

Mar

ket R

isk


Benefits and challenges of risk management

More integrated and comprehensive assessment of risks, and an objective, consistent approach to managing them

Enhanced clarity around risk management roles and responsibilities

Help create a more common language and improved view of risk across the institution

Improved understanding and monitoring on the nature of risk in the business

Promote a risk-aware operating culture and accountability

Receive favorable treatment from credit agencies, insurers, analysis and other stakeholders

Defining ERM: lack of organizational objectives and confusing, contradictory terminology

Assessing risk profile in line with strategic decisions

Siloed view of risk

Identifying and aggregating various risk types

Risk measurement: no one tool exists

Enabling technology: no one system addressing ERM

Benefits Challenges

Risk management provides many benefits throughout the organization and beyond. However, implementing an ERM program may pose challenges across the organization, especially with risk language, risk infrastructure and risk data


Current trends in risk management

1. Clear governance practices embeddedinto the organizational structure: Increase oversight, interaction and

communication with board and senior management risk operating committees

Communicate a statement of the risk philosophy and appetite of the firm that is actionable and can be assessed

Document and clarify roles and responsibilities Develop integrated market and credit risk

framework processes

2. Risk and return balance and risk management priorities:

Decision making is risk/return oriented and in partnership — risk is “right sized” to organization

Compensation structure is aligned with risk and reward

Risk management function has risk “veto” authority with clear escalation/resolution processes

3. Investment in infrastructure and risk capabilities:

Enhance valuation and exposure measurement capabilities (i.e. Ability to value and measure the risks associated with all transactions)

Re-prioritize infrastructure investment areas, focus on risk exposure aggregation, netting and product coverage

4. Transparency, disclosure and communication:

Need to provide informative, customized and actionable information to senior management, board and business lines

Risk management should seek guidance and have access to the board in order to understand their objectives and perspective

Increased external disclosures to shareholders, regulators, rating agencies

State of ERM


Benchmarking ERM CapabilitiesDeloitte’s ERM capability maturity model

Stages of Risk Management Capability Maturity

Stak

ehol

der V

alue

Integrated

Optimized

ComprehensiveSiloedInitial

• Ad hoc/chaotic• Reactive• Processes undefined

and undocumented• Depends primarily on

individual heroics, capabilities, and verbal wisdom

• Independent risk management activities

• Limited focus on the linkage between risks

• Limited alignment of risk to strategies

• Disparate monitoring & reporting functions

• All risk types and business units encompassed

• End to end business risk management process implemented

• Common framework, program statement, policy, and risk assessment criteria

• Dedicated team or function

• Risk interactions and dependencies rigorously evaluated

• Risks to develop overarching risk profile aggregated

• Enterprise-wide “at risk” measure adopted

• Risk modeling/scenarios

• Risk discussion is embedded in strategic planning, capital allocation, product development, etc.

• Use of dynamic early warning indicators

• Linkage to performance measures and incentives

Representative Attributes Describing Each Maturity Level

Initial Siloed Comprehensive Integrated Optimized


ERM Capability of Various IndustriesSome industries have been focused longer on ERM and made greater strides

ERM Maturity

Stak

ehol

der V

alue

Integrated

Optimized

ComprehensiveSiloedInitial

Financial Services

Mining

Industrials

Energy

Life Sciences

Insurance

Retail

Technology

Reasons for higher ERM capabilities in certain industries:• Highly regulated industry with intense

scrutiny from government entities• Sophisticated risk analysis inherent to

the business• Nature of operations is high risk

Note: Placement of industries in this chart is judgmental, but based on Deloitte’s depth of ERM knowledge and experience with a wide variety of industries.

Note: Gradients indicate that a small number of outliers define the upper end of the range.

Risk Management Framework


Defining a risk management framework

Risk Intelligence (RI) is Deloitte’s risk management philosophy that is focused on maintaining the right balance between risk and reward. Simply put, organizations create value by taking risks and lose value by failing to manage them. An effective risk management program focuses simultaneously on value protection and value creation. Deloitte calls organizations that have attained this advanced state of risk management capability a “Risk Intelligent Enterprise™.”

A risk management framework provides a structure that helps organizations decide which opportunities to pursue and which hazards to avoid

The ERM framework recognizes thedual nature of risk and devotessufficient resources both to risktaking for reward and protection ofexisting assets.

The elements of the ERM frameworkinclude:

Leaders adopt a broad outlookand governance of risk andintegrate risk considerations intostrategic decision-making

Capable processes, systems andtrained people act on both risksand opportunities in a timely andcoordinated manner

A consistent risk assessmentapproach is used across theorganization to manage allclasses of risk in an effectiveand efficient manner

Policies & procedures Capability Information &

reportingTools and technology

Risk Governance

Risk Management Infrastructure

Risk identification Risk measurement

Risk assessment Risk response Escalation &

monitoring

Risk Management Processes

Integration with the business

Stakeholder expectations

Risk appetite

Strategy & performance

Tone at the top


Making ERM practicalCompanies achieving higher maturity levels observe the 9 principles

Risk Governance

Risk Infrastructure & Management

Risk Ownership & Processes

Common Definition of Risk A common definition of risk, which addresses both value preservation and value creation, is used consistently throughout the organization

Common Risk Framework A common risk framework supported by appropriate standards is used throughout the organization to manage risks

Roles & Responsibilities Key roles, responsibilities, and authority relating to risk management are clearly defined and delineated within the organization

Common Risk InfrastructureA common risk management infrastructure that is used to support the business units and functions in the performance of their risk responsibilities

Transparency for Governing Bodies Governing bodies (e.g., Boards, Audit Committees, etc.) have appropriate transparency and visibility into the organizations risk management practices to discharge their responsibilities

Executive Management ResponsibilityExecutive management is charged with designing, implementing and maintaining an effective risk program

Business Unit Responsibility Business units are responsible for the performance of their business and the management of risks they take within the risk framework established by executive management

Support of Pervasive FunctionsCertain functions have a pervasive impact on the business and not only provide support to the business units as it relates to the organization's risk program, but also enhance and enable success when strategically aligned and considered as essential elements of the program

Objective Assurance and MonitoringOther functions (e.g., internal audit, risk management, compliance, etc.) provide objective assurance as well as monitor and report on the effectiveness of an organization's risk program to governing bodies and executive management


Operating modelsControl/Compliance Center for Excellence Reporter / Central Analysis

Operating Philosophy

Risk Culture

• Risk organization may be perceived to be enforcer of risk policies and rules

• Centralized risk function often assumes ownership and management of particular risks

• Drive risk management/ process/ function integration and alignment

• Integrate and coordinate cross-functional risk inter-dependencies

• Risk organization may be perceived to be business partner

• Support/conduct risk assessments using various techniques

• Identify likely/potential critical risks and proactively engage risk owners, build tools, processes, etc.

• Focus on enhancing risk informed decision making and managing risks during execution of decisions

• Risk organization may be perceived to be a burden on the business

• Line management ownership of risks

• Avoids unnecessary disruption to the business

Typical Attributes

• Extensive reliance on policies and procedures

• Many activities focused on monitoring compliance

• Requires tool/process development investments

• Utilization of tools/process is optional

• Tools/process may not be fully utilized or adopted by business/risk owners

• Risk organization should provide quality services to business units

• Identify high level risk trends• Gather information and report to

center for data analysis


Risk roles & responsibilities - Illustrative

Business Units

Take and Manage Risks

Ownership of business unit activities which give rise to risk and responsibility for risk management and mitigation

Risk identification and self-assessments

Developing strategy & taking actions to manage and mitigate risks within policy and risk appetite

Providing assertions on risk exposure and controls for their business area / function

Business Unit Risk Managers coordinate the Business Unit risk assessment, monitoring, and mitigation activities

ERM Function

Monitor & Aggregate

Establishment of consistent risk policies, governance framework, standards, and information reporting mechanisms to facilitate effective risk management

Monitoring and participation in specific risk committees for the purpose of providing the enterprise view

Providing summary information and analysis to the Executive Committee to assess, evaluate, and act on risk

Risk Committees

Oversee

Oversight over risks within scope of authority

Oversight and approval of measurement and management methodologies for risks within scope

Oversight of changes in risk profile

Oversight of Business Unit management of designated risk categories

Executive Committee

Approve

Approval of key documents, such as:

˗ ERM Policy ˗ Risk Appetite ˗ Risk Governance

Model ˗ Authorities˗ Committee

Charters Monitoring risk

exposure status Approving Board

reporting package Monitoring

Business Unit mitigation plans and their status for top risks

Approve limit exceptions

Audit Committee

Ratify

Ratification of key documents, such as:

˗ ERM Policy ˗ Risk Appetite ˗ Risk Governance

Model˗ Authorities˗ Committee

Charters

Internal Audit

Validate

Independent Verification and Testing of:

˗ Internal Controls ˗ Quality of the

Enterprise Risk Management Program

˗ Quality and integrity of risk models

An example of risk management roles and responsibilities throughout an organization


Three lines of defenseRisk management responsibility can be viewed as three lines of defense: management, Chief Risk Officer (CRO)/ Risk function, and Internal Audit

1st Line of Defense

• Promote a strong risk culture and sustainable risk-return decision making

• Portfolio optimization on the macro and micro level

• Promote a strong culture of adhering to limits and managing risk exposure

• Ongoing monitoring of risks

2nd Line of Defense

• Combination of watchdog, trusted advisor, enforcer

• Understand how the business makes money—and actively challenge initiatives if appropriate

• Top talent with business experience engaging with management and NBD as equals

• Independent from management and staff that originate risk exposures

• Overarching risk oversight unit across all risk types and business units

3rd Line of Defense

• Good understanding of the business and risk management

• Top talent within audit—to challenge the front office and risk management function

• Independent oversight function with ability to enforce fulfillment of findings

• Ability to link business and risk with process and IT know-how

External Auditor

Regulator

Board of Directors

Top Management and New Business Dev.

Risk Management Function Internal Audit


Risk appetite principles: Defined by senior management and approved by the

Board of Directors Aligned with business objectives and should be linked to

KPIs Responsibility distributed across the organization to all

levels of management Embedded in policy development, business and strategic

planning, resource allocation, and various business and risk processes

Risk appetite

At the highest level, risk appetite defines the amount of overall risk that a firm is willing to accept in pursuit of its business objectives

Risk Appetite Scale

Risk metrics

and limits

Action and correction

Risk monitoring/ reporting framework

Risk appetite

statement

Strategic goals & value

drivers

Risk Seeking Risk Tolerant Risk Neutral Risk Averse

Description Taking risk is considered part of company’s strategy

Company takes an aggressive approach towards taking risk

Company takes a balanced approach to risk taking

Company accepts as little risk as possible

Example risk appetite by business activity

New market expansion and acquisition activities

Portfolio management, innovation

Operations, asset / liability management

Heath, safety, environment, security, fraud, financial reporting, regulatory compliance and reputation


Risk processes

Risk Measurement

Risk Response & Mitigation

Risk Monitoring &

Reporting

Risk Identification

Risk Assessment

• Structuredaround enterprise wide framework of risk categories and definitions

• Both top down and bottom up process

• Provide a qualitative and quantitative view of risk

• Assessed on the Gross / Inherent basis and on the Net / Residual basis taking into consideration existence of risk mitigation

• Level of complexity of the risk assessment should correlate to level of significance of the risk

• Need BUinvolvement

• Range of risk measurement methodologiesexist

• Data availability and quality is key

• Most start with qualitative form of risk assessment

• Examples include: risk assessment & scoring, KRIs, loss event and scenario modeling, economic capital modeling and allocation

• Appropriate response is dependent on company’s strategic objectives, risk appetite, level of action requiredand return/ reward / cost of the mitigation plan

• Can range from fully mitigate to partial mitigation, to accept and no mitigation

• Establish a risk mitigation framework

• Risks usually monitored individually and then aggregated and reported

• RM Function usually aggregates and reports

• Effective risk reporting should include info on key risks enterprise wide, provide clear picture of risk profile and emerging risks, and focus on KRIs, limits and thresholds

• Risk dashboard

1 2 3 4 5

Key risk processes to establish a robust risk management framework:

Role of Internal Audit – A Discussion


Roles internal audit should not undertake

Core internal audit roles in regards to ERM

Legitimate internal audit roles with safeguards

Internal Audit’s role in ERM

*Source: The Institute of Internal Auditors (IIA) Position Statement

Two key factors to consider when determining Internal Audit's role with respect to ERM include:1. Whether the activity raises any threats to the internal auditors' independence

and objectivity2. Whether it is likely to improve the organization's risk management, control, and governance

processes.

Leading Practices and Insights from Deloitte’s Global Risk Management Survey – Seventh Edition


The seventh edition of the bi-annual Global Risk Management Survey represents Deloitte’s most recent look at the state of risk management across the global financial services industry

Global Risk Management Survey 2011

The survey was conducted during Q3 2010

We solicited responses from CROs or their equivalents at financial services firms around the world

131 financial institutions with a total of over $17 trillion in assets participated

Topics included:

‒ Risk governance‒ Enterprise risk management‒ Basel II, Solvency II, and economic capital‒ Managing risk types‒ Risk management systems & technology

infrastructure

Source: Navigating in a Changed World, Deloitte Global Risk Management Survey, 7th edition http://www.deloitte.com/assets/Dcom-UnitedStates/Local%20Assets/Documents/us_fsi_grms_031711.pdf


Participating institutions were primarily diversified financial services companies, commercial and retail banks, and insurance companies

Headquartered in a variety of geographies, many responding institutions are global companies

The range of asset sizes includes some of the world’s largest institutions as well as smaller, regional institutions

About the survey Primary Business

Geography

Asset Size

Note: Some graphs do not add to 100% due to rounding.


Risk governance findings and insightsThe scope and responsibilities of the Board, Chief Risk Officer and risk management function continue to grow, with more and more responsibilities being added.

Which of the following steps has your organization taken in response to recent concerns regarding risk governance?


Risk governance findings and insights Increasingly, risk management responsibilities are being incorporated into goals and compensation decisions across organizations. This trend will likely continue to grow.

To what extent are responsibilities for risk management incorporated into performance goals and compensation across the organization?

12% 13%6%

2%6%

2% 3% 3% 3% 3%

37%43%

22%26%

25%29%

19% 17%

7% 10%

0%

10%

20%

30%

40%

50%

60%

2008 2010Senior management

2008 2010Middle management

2008 2010Finance personnel

2008 2010Operations personnel

2008 2010Staff personnel

Completely Substantially

49%

56%

28% 28%31% 31%

22%20%

10%13%


Enterprise risk management findings and insights • The adoption of ERM programs continues to grow – 79% of all respondents said

they have or are currently implementing an integrated ERM program, versus 59% two years ago.

• The perceived value of ERM is also on the rise.

How much value do you believe your organization has received from its ERM program, or equivalent, in each of the following areas?


Enterprise risk management findings and insights Boards of Directors have been substantially increasing the scope and frequency of risk management related reporting.

Which of the following types of risk information does your organizationcurrently report to the Board of Directors?


Managing risk types – overview across risk types A number of new risk types were added to the survey in 2010; for those risks also in the 2008 survey, the assessment of risk management effectiveness has not increased significantly for most risk types.

How effective do you think your organization is in managing each of the following types of risks?

77% 76% 74% 71% 71% 71% 71%64% 64% 62% 60%

56% 54% 54% 53% 49% 48% 47% 45% 44% 44% 43% 41%37% 37% 36%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

Extremely / Very effective


Risk infrastructure and data findings and insights • The integration of risk systems and data continues to present challenges across

all financial services sectors.• Data management and data integrity are increasingly important areas of focus for

many major financial institutions.

How effective do you think your organization is in the following aspectsof risk data strategy and infrastructure?

38%

37%

29%

28%

27%

33%

31%


Role of the board of directors: Increased focus on governance and oversight for risk management and on approving a clearly stated-risk framework, policies and risk appetite statement

Role of the chief risk officer: Increased responsibility and visibility: direct reporting lines to the board and/or CEO and leading ERM program, including risk governance, reporting and analytics, where appropriate

“Three lines of defense”: Define risk framework that clearly identifies roles, responsibilities and monitoring across the organization

Risk appetite statement: Approving an enterprise-level statement of risk appetite and integrating into business activities, e.g. limits

Risk metrics: Focus on key risk metrics in decision-making across the organization, including strategy planning, budgeting, and performance measurement

Chief Compliance Officer and Compliance Program: Emphasis on building enterprise-wide, independent compliance risk management program consistent with regulatory guidance and elevating visibility of CCO and direct reporting line to the board

Risk reporting: Continued challenges with integration of systems and data; yet focus remains on aggregation and analysis across asset classes and business. Enhanced reporting to management and the board

Leading practices


Risk management likely continues to be an area of substantial focus, given market conditions and regulatory change

No two institutions are alike: Business strategy and the mix of component businesses and jurisdictions will help drive decision-making

Risk governance – boards have been increasingly proactive in risk management and this will likely continue

The CRO is increasingly a more senior executive position

Even “traditional” risks such as operational risks can benefit from more attention; additional risks may need focus

Continued and increased use of risk measurement models and approaches, including stress testing, require assessment of models and assumptions

Data integrity and data analysis become increasingly important as systems are integrated and reporting needs increase

Take-aways for consideration

As an internal auditor evaluating an ERM Program, the following are considerations:

Questions and Answers

About DeloitteDeloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

Copyright © 2012 Deloitte Development LLC. All rights reserved.Member of Deloitte Touche Tohmatsu Limited

This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting,business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. In addition, this presentation contains summarized survey results, which are included for informational and discussion purposes only. Participant survey responses were taken “as is” and were not confirmed or validated by Deloitte. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this presentation.

4. am track 3 - deloitte - iia presentation 2012-05-18_final

Documents

chief risk officer

risk management roles

risk governance findings

enterprise risk management

internal audit

executive management

governing bodies

strategic planning