4. am track 3 - deloitte - iia presentation 2012-05-18_final
DESCRIPTION
4. AM Track 3 - Deloitte - IIA Presentation 2012-05-18_FINALTRANSCRIPT
The New York Chapter of the Institute of Internal Audit - 39th Annual Audit Seminar
May 18, 2012
Patchin Curtis, DirectorMichele Crish, Senior ManagerMichael Schor, Senior Manager
Enterprise Risk Management for Internal Auditors
Copyright © 2012 Deloitte Development LLC. All rights reserved.1
Contents
Defining Risk and Risk Management
State of Enterprise Risk Management (ERM)
Risk Management Framework
Role of Internal Audit – A Discussion
Leading Practices and Insights from Deloitte’s Global Risk Survey
Questions and Answers
Copyright © 2012 Deloitte Development LLC. All rights reserved.2
Risk management in the news
“A bank in which every employee understands his or her responsibility for managing risk is likely to be more sound than a bank in which risk management is always seen as someone else's responsibility. While risk management starts at the business-line level, a well-run bank also has in place an effective program for enterprise-wide risk management that is supported by strong internal controls.”- Sara Raskin, Federal Reserve Bank Governor, 2011
“Given the central role of effective, firmwide risk management in maintaining strong financial institutions, it is clear that supervisors must redouble their efforts to help organizations improve their risk-management practices…We are also considering the need for additional or revised supervisory guidance regarding various aspects of risk management, including further emphasis on the need for an enterprise-wide perspective when assessing risk” -Ben Bernanke, US Federal Reserve Bank Chairman, 2008
“A fundamental shortcoming is the wide disparity between the rapid pace of financial innovation and the risk management infrastructure on which this innovation was built…. historic or statistical measures of risk and exposure, such as value-at-risk, past loss experiences and name concentration in the traditional banking book have proved inadequate.”- Nout Wellink , BIS Chairman, 2008
“Strong risk management and robust financial regulation are the bedrock of a stable financial system”-Hugo Banziger, Deutsche Bank’s Chief Risk Officer and a Member of the Management Board, 2010
“I am fully convinced that going forward, continued improvement of risk management by banks, despite their size, will not only impact on their behavior but also their performance.”-Liu Mingkang, Chairman, China Banking Regulatory Commission, 2004
Copyright © 2012 Deloitte Development LLC. All rights reserved.4
Unrewarded Risk:
Nothing is gained from taking the risk
Relates to risk areas such as regulatory compliance
Rewarded Risk:
Provides a premium ifmanaged well
Relates to strategy and business decisions,
where value is created
Focusing on rewarded risk enables continued creation and preservation of value, even in turbulent times.
Risk
Risk Intelligence addresses the risks and rewards of value creation
Risk does not just relate to events that cause damage to the business - consider risk that applies to value creation
If risk associated with value creation is not properly managed, a company may not reap potential rewards
A company’s leadership team must understand the company’s risk and reward profile
Neglecting compliance could result in business termination
If companies avoid too many risks, they will forgo associated rewards
Focus of Deloitte‘s approach
Defining riskRisk is the potential for loss or harm — or the diminished opportunity for gain — that can adversely affect the achievement of an organization’s objectives, as defined by our Risk
Intelligence approach
Copyright © 2012 Deloitte Development LLC. All rights reserved.5
Defining risk management
“A process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its appetite, to provide reasonable assurance regarding the achievement of entity objectives.”*
*Source: Committee of Sponsoring Organization of the Treadway Commission – COSO
A leading definition for Enterprise Risk Management is:
A process for providing a risk adjusted view of the achievability of enterprise objectives
A means to enhance informed decision making and risk taking
An aggregated portfolio view of risks and vulnerabilities and their potential interactions
A methodology that supports accountability for risk across the organization
A substitute for management’s judgment A bureaucratic exercise that is isolated from the
business units A guarantee of a zero risk environment
ERM IS ERM IS NOT
Copyright © 2012 Deloitte Development LLC. All rights reserved.6
Role of risk management evolves
Traditional View
View on managing single risk factors / single impact events within various organizational silos
Measure risk and ensure that exposure concentrations are contained within pre-specified (arbitrary) limits
Performance measured on ex-post basis in Return on Assets (ROA) or contribution terms. Business Unit Return on Equity (ROE), if measured, based on simply equity allocations
Institution’s overall capital ratio Regulatory capital
Evolving View
View on managing risk enterprise-wide Measure risk, allocate capital based on risk, and measure performance relative to the cost of risk
(economic capital) Clarify risk/return economics for line management, and incorporate into pricing and customer
profitability Risk adjusted performance for business units, customers and portfolios utilize the same approach Greater link between CFO and Chief Risk Officer Evolving risk management capabilities is to build upon an institution’s strengths and existing
capabilities
Busi
ness
Ris
k
Com
plia
nce
Cou
ntry
Ris
k
Ope
ratio
nal R
isk
Cre
dit R
isk
Liqu
idity
Ris
k
Rep
utat
ion
Mar
ket R
isk
Copyright © 2012 Deloitte Development LLC. All rights reserved.7
Benefits and challenges of risk management
More integrated and comprehensive assessment of risks, and an objective, consistent approach to managing them
Enhanced clarity around risk management roles and responsibilities
Help create a more common language and improved view of risk across the institution
Improved understanding and monitoring on the nature of risk in the business
Promote a risk-aware operating culture and accountability
Receive favorable treatment from credit agencies, insurers, analysis and other stakeholders
Defining ERM: lack of organizational objectives and confusing, contradictory terminology
Assessing risk profile in line with strategic decisions
Siloed view of risk
Identifying and aggregating various risk types
Risk measurement: no one tool exists
Enabling technology: no one system addressing ERM
Benefits Challenges
Risk management provides many benefits throughout the organization and beyond. However, implementing an ERM program may pose challenges across the organization, especially with risk language, risk infrastructure and risk data
Copyright © 2012 Deloitte Development LLC. All rights reserved.8
Current trends in risk management
1. Clear governance practices embeddedinto the organizational structure: Increase oversight, interaction and
communication with board and senior management risk operating committees
Communicate a statement of the risk philosophy and appetite of the firm that is actionable and can be assessed
Document and clarify roles and responsibilities Develop integrated market and credit risk
framework processes
2. Risk and return balance and risk management priorities:
Decision making is risk/return oriented and in partnership — risk is “right sized” to organization
Compensation structure is aligned with risk and reward
Risk management function has risk “veto” authority with clear escalation/resolution processes
3. Investment in infrastructure and risk capabilities:
Enhance valuation and exposure measurement capabilities (i.e. Ability to value and measure the risks associated with all transactions)
Re-prioritize infrastructure investment areas, focus on risk exposure aggregation, netting and product coverage
4. Transparency, disclosure and communication:
Need to provide informative, customized and actionable information to senior management, board and business lines
Risk management should seek guidance and have access to the board in order to understand their objectives and perspective
Increased external disclosures to shareholders, regulators, rating agencies
Copyright © 2012 Deloitte Development LLC. All rights reserved.10
Benchmarking ERM CapabilitiesDeloitte’s ERM capability maturity model
Stages of Risk Management Capability Maturity
Stak
ehol
der V
alue
Integrated
Optimized
ComprehensiveSiloedInitial
• Ad hoc/chaotic• Reactive• Processes undefined
and undocumented• Depends primarily on
individual heroics, capabilities, and verbal wisdom
• Independent risk management activities
• Limited focus on the linkage between risks
• Limited alignment of risk to strategies
• Disparate monitoring & reporting functions
• All risk types and business units encompassed
• End to end business risk management process implemented
• Common framework, program statement, policy, and risk assessment criteria
• Dedicated team or function
• Risk interactions and dependencies rigorously evaluated
• Risks to develop overarching risk profile aggregated
• Enterprise-wide “at risk” measure adopted
• Risk modeling/scenarios
• Risk discussion is embedded in strategic planning, capital allocation, product development, etc.
• Use of dynamic early warning indicators
• Linkage to performance measures and incentives
Representative Attributes Describing Each Maturity Level
Initial Siloed Comprehensive Integrated Optimized
Copyright © 2012 Deloitte Development LLC. All rights reserved.11
ERM Capability of Various IndustriesSome industries have been focused longer on ERM and made greater strides
ERM Maturity
Stak
ehol
der V
alue
Integrated
Optimized
ComprehensiveSiloedInitial
Financial Services
Mining
Industrials
Energy
Life Sciences
Insurance
Retail
Technology
Reasons for higher ERM capabilities in certain industries:• Highly regulated industry with intense
scrutiny from government entities• Sophisticated risk analysis inherent to
the business• Nature of operations is high risk
Note: Placement of industries in this chart is judgmental, but based on Deloitte’s depth of ERM knowledge and experience with a wide variety of industries.
Note: Gradients indicate that a small number of outliers define the upper end of the range.
Copyright © 2012 Deloitte Development LLC. All rights reserved.13
Defining a risk management framework
Risk Intelligence (RI) is Deloitte’s risk management philosophy that is focused on maintaining the right balance between risk and reward. Simply put, organizations create value by taking risks and lose value by failing to manage them. An effective risk management program focuses simultaneously on value protection and value creation. Deloitte calls organizations that have attained this advanced state of risk management capability a “Risk Intelligent Enterprise™.”
A risk management framework provides a structure that helps organizations decide which opportunities to pursue and which hazards to avoid
The ERM framework recognizes thedual nature of risk and devotessufficient resources both to risktaking for reward and protection ofexisting assets.
The elements of the ERM frameworkinclude:
Leaders adopt a broad outlookand governance of risk andintegrate risk considerations intostrategic decision-making
Capable processes, systems andtrained people act on both risksand opportunities in a timely andcoordinated manner
A consistent risk assessmentapproach is used across theorganization to manage allclasses of risk in an effectiveand efficient manner
Policies & procedures Capability Information &
reportingTools and technology
Risk Governance
Risk Management Infrastructure
Risk identification Risk measurement
Risk assessment Risk response Escalation &
monitoring
Risk Management Processes
Integration with the business
Stakeholder expectations
Risk appetite
Strategy & performance
Tone at the top
Copyright © 2012 Deloitte Development LLC. All rights reserved.14
Making ERM practicalCompanies achieving higher maturity levels observe the 9 principles
Risk Governance
Risk Infrastructure & Management
Risk Ownership & Processes
Common Definition of Risk A common definition of risk, which addresses both value preservation and value creation, is used consistently throughout the organization
Common Risk Framework A common risk framework supported by appropriate standards is used throughout the organization to manage risks
Roles & Responsibilities Key roles, responsibilities, and authority relating to risk management are clearly defined and delineated within the organization
Common Risk InfrastructureA common risk management infrastructure that is used to support the business units and functions in the performance of their risk responsibilities
Transparency for Governing Bodies Governing bodies (e.g., Boards, Audit Committees, etc.) have appropriate transparency and visibility into the organizations risk management practices to discharge their responsibilities
Executive Management ResponsibilityExecutive management is charged with designing, implementing and maintaining an effective risk program
Business Unit Responsibility Business units are responsible for the performance of their business and the management of risks they take within the risk framework established by executive management
Support of Pervasive FunctionsCertain functions have a pervasive impact on the business and not only provide support to the business units as it relates to the organization's risk program, but also enhance and enable success when strategically aligned and considered as essential elements of the program
Objective Assurance and MonitoringOther functions (e.g., internal audit, risk management, compliance, etc.) provide objective assurance as well as monitor and report on the effectiveness of an organization's risk program to governing bodies and executive management
Copyright © 2012 Deloitte Development LLC. All rights reserved.15
Operating modelsControl/Compliance Center for Excellence Reporter / Central Analysis
Operating Philosophy
Risk Culture
• Risk organization may be perceived to be enforcer of risk policies and rules
• Centralized risk function often assumes ownership and management of particular risks
• Drive risk management/ process/ function integration and alignment
• Integrate and coordinate cross-functional risk inter-dependencies
• Risk organization may be perceived to be business partner
• Support/conduct risk assessments using various techniques
• Identify likely/potential critical risks and proactively engage risk owners, build tools, processes, etc.
• Focus on enhancing risk informed decision making and managing risks during execution of decisions
• Risk organization may be perceived to be a burden on the business
• Line management ownership of risks
• Avoids unnecessary disruption to the business
Typical Attributes
• Extensive reliance on policies and procedures
• Many activities focused on monitoring compliance
• Requires tool/process development investments
• Utilization of tools/process is optional
• Tools/process may not be fully utilized or adopted by business/risk owners
• Risk organization should provide quality services to business units
• Identify high level risk trends• Gather information and report to
center for data analysis
Copyright © 2012 Deloitte Development LLC. All rights reserved.16
Risk roles & responsibilities - Illustrative
Business Units
Take and Manage Risks
Ownership of business unit activities which give rise to risk and responsibility for risk management and mitigation
Risk identification and self-assessments
Developing strategy & taking actions to manage and mitigate risks within policy and risk appetite
Providing assertions on risk exposure and controls for their business area / function
Business Unit Risk Managers coordinate the Business Unit risk assessment, monitoring, and mitigation activities
ERM Function
Monitor & Aggregate
Establishment of consistent risk policies, governance framework, standards, and information reporting mechanisms to facilitate effective risk management
Monitoring and participation in specific risk committees for the purpose of providing the enterprise view
Providing summary information and analysis to the Executive Committee to assess, evaluate, and act on risk
Risk Committees
Oversee
Oversight over risks within scope of authority
Oversight and approval of measurement and management methodologies for risks within scope
Oversight of changes in risk profile
Oversight of Business Unit management of designated risk categories
Executive Committee
Approve
Approval of key documents, such as:
˗ ERM Policy ˗ Risk Appetite ˗ Risk Governance
Model ˗ Authorities˗ Committee
Charters Monitoring risk
exposure status Approving Board
reporting package Monitoring
Business Unit mitigation plans and their status for top risks
Approve limit exceptions
Audit Committee
Ratify
Ratification of key documents, such as:
˗ ERM Policy ˗ Risk Appetite ˗ Risk Governance
Model˗ Authorities˗ Committee
Charters
Internal Audit
Validate
Independent Verification and Testing of:
˗ Internal Controls ˗ Quality of the
Enterprise Risk Management Program
˗ Quality and integrity of risk models
An example of risk management roles and responsibilities throughout an organization
Copyright © 2012 Deloitte Development LLC. All rights reserved.17
Three lines of defenseRisk management responsibility can be viewed as three lines of defense: management, Chief Risk Officer (CRO)/ Risk function, and Internal Audit
1st Line of Defense
• Promote a strong risk culture and sustainable risk-return decision making
• Portfolio optimization on the macro and micro level
• Promote a strong culture of adhering to limits and managing risk exposure
• Ongoing monitoring of risks
2nd Line of Defense
• Combination of watchdog, trusted advisor, enforcer
• Understand how the business makes money—and actively challenge initiatives if appropriate
• Top talent with business experience engaging with management and NBD as equals
• Independent from management and staff that originate risk exposures
• Overarching risk oversight unit across all risk types and business units
3rd Line of Defense
• Good understanding of the business and risk management
• Top talent within audit—to challenge the front office and risk management function
• Independent oversight function with ability to enforce fulfillment of findings
• Ability to link business and risk with process and IT know-how
External Auditor
Regulator
Board of Directors
Top Management and New Business Dev.
Risk Management Function Internal Audit
Copyright © 2012 Deloitte Development LLC. All rights reserved.18
Risk appetite principles: Defined by senior management and approved by the
Board of Directors Aligned with business objectives and should be linked to
KPIs Responsibility distributed across the organization to all
levels of management Embedded in policy development, business and strategic
planning, resource allocation, and various business and risk processes
Risk appetite
At the highest level, risk appetite defines the amount of overall risk that a firm is willing to accept in pursuit of its business objectives
Risk Appetite Scale
Risk metrics
and limits
Action and correction
Risk monitoring/ reporting framework
Risk appetite
statement
Strategic goals & value
drivers
Risk Seeking Risk Tolerant Risk Neutral Risk Averse
Description Taking risk is considered part of company’s strategy
Company takes an aggressive approach towards taking risk
Company takes a balanced approach to risk taking
Company accepts as little risk as possible
Example risk appetite by business activity
New market expansion and acquisition activities
Portfolio management, innovation
Operations, asset / liability management
Heath, safety, environment, security, fraud, financial reporting, regulatory compliance and reputation
Copyright © 2012 Deloitte Development LLC. All rights reserved.19
Risk processes
Risk Measurement
Risk Response & Mitigation
Risk Monitoring &
Reporting
Risk Identification
Risk Assessment
• Structuredaround enterprise wide framework of risk categories and definitions
• Both top down and bottom up process
• Provide a qualitative and quantitative view of risk
• Assessed on the Gross / Inherent basis and on the Net / Residual basis taking into consideration existence of risk mitigation
• Level of complexity of the risk assessment should correlate to level of significance of the risk
• Need BUinvolvement
• Range of risk measurement methodologiesexist
• Data availability and quality is key
• Most start with qualitative form of risk assessment
• Examples include: risk assessment & scoring, KRIs, loss event and scenario modeling, economic capital modeling and allocation
• Appropriate response is dependent on company’s strategic objectives, risk appetite, level of action requiredand return/ reward / cost of the mitigation plan
• Can range from fully mitigate to partial mitigation, to accept and no mitigation
• Establish a risk mitigation framework
• Risks usually monitored individually and then aggregated and reported
• RM Function usually aggregates and reports
• Effective risk reporting should include info on key risks enterprise wide, provide clear picture of risk profile and emerging risks, and focus on KRIs, limits and thresholds
• Risk dashboard
1 2 3 4 5
Key risk processes to establish a robust risk management framework:
Copyright © 2012 Deloitte Development LLC. All rights reserved.21
Roles internal audit should not undertake
Core internal audit roles in regards to ERM
Legitimate internal audit roles with safeguards
Internal Audit’s role in ERM
*Source: The Institute of Internal Auditors (IIA) Position Statement
Two key factors to consider when determining Internal Audit's role with respect to ERM include:1. Whether the activity raises any threats to the internal auditors' independence
and objectivity2. Whether it is likely to improve the organization's risk management, control, and governance
processes.
Copyright © 2012 Deloitte Development LLC. All rights reserved.23
The seventh edition of the bi-annual Global Risk Management Survey represents Deloitte’s most recent look at the state of risk management across the global financial services industry
Global Risk Management Survey 2011
The survey was conducted during Q3 2010
We solicited responses from CROs or their equivalents at financial services firms around the world
131 financial institutions with a total of over $17 trillion in assets participated
Topics included:
‒ Risk governance‒ Enterprise risk management‒ Basel II, Solvency II, and economic capital‒ Managing risk types‒ Risk management systems & technology
infrastructure
Source: Navigating in a Changed World, Deloitte Global Risk Management Survey, 7th edition http://www.deloitte.com/assets/Dcom-UnitedStates/Local%20Assets/Documents/us_fsi_grms_031711.pdf
Copyright © 2012 Deloitte Development LLC. All rights reserved.24
Participating institutions were primarily diversified financial services companies, commercial and retail banks, and insurance companies
Headquartered in a variety of geographies, many responding institutions are global companies
The range of asset sizes includes some of the world’s largest institutions as well as smaller, regional institutions
About the survey Primary Business
Geography
Asset Size
Note: Some graphs do not add to 100% due to rounding.
Copyright © 2012 Deloitte Development LLC. All rights reserved.25
Risk governance findings and insightsThe scope and responsibilities of the Board, Chief Risk Officer and risk management function continue to grow, with more and more responsibilities being added.
Which of the following steps has your organization taken in response to recent concerns regarding risk governance?
Copyright © 2012 Deloitte Development LLC. All rights reserved.26
Risk governance findings and insights Increasingly, risk management responsibilities are being incorporated into goals and compensation decisions across organizations. This trend will likely continue to grow.
To what extent are responsibilities for risk management incorporated into performance goals and compensation across the organization?
12% 13%6%
2%6%
2% 3% 3% 3% 3%
37%43%
22%26%
25%29%
19% 17%
7% 10%
0%
10%
20%
30%
40%
50%
60%
2008 2010Senior management
2008 2010Middle management
2008 2010Finance personnel
2008 2010Operations personnel
2008 2010Staff personnel
Completely Substantially
49%
56%
28% 28%31% 31%
22%20%
10%13%
Copyright © 2012 Deloitte Development LLC. All rights reserved.27
Enterprise risk management findings and insights • The adoption of ERM programs continues to grow – 79% of all respondents said
they have or are currently implementing an integrated ERM program, versus 59% two years ago.
• The perceived value of ERM is also on the rise.
How much value do you believe your organization has received from its ERM program, or equivalent, in each of the following areas?
Copyright © 2012 Deloitte Development LLC. All rights reserved.28
Enterprise risk management findings and insights Boards of Directors have been substantially increasing the scope and frequency of risk management related reporting.
Which of the following types of risk information does your organizationcurrently report to the Board of Directors?
Copyright © 2012 Deloitte Development LLC. All rights reserved.29
Managing risk types – overview across risk types A number of new risk types were added to the survey in 2010; for those risks also in the 2008 survey, the assessment of risk management effectiveness has not increased significantly for most risk types.
How effective do you think your organization is in managing each of the following types of risks?
77% 76% 74% 71% 71% 71% 71%64% 64% 62% 60%
56% 54% 54% 53% 49% 48% 47% 45% 44% 44% 43% 41%37% 37% 36%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Extremely / Very effective
Copyright © 2012 Deloitte Development LLC. All rights reserved.30
Risk infrastructure and data findings and insights • The integration of risk systems and data continues to present challenges across
all financial services sectors.• Data management and data integrity are increasingly important areas of focus for
many major financial institutions.
How effective do you think your organization is in the following aspectsof risk data strategy and infrastructure?
38%
37%
29%
28%
27%
33%
31%
Copyright © 2012 Deloitte Development LLC. All rights reserved.31
Role of the board of directors: Increased focus on governance and oversight for risk management and on approving a clearly stated-risk framework, policies and risk appetite statement
Role of the chief risk officer: Increased responsibility and visibility: direct reporting lines to the board and/or CEO and leading ERM program, including risk governance, reporting and analytics, where appropriate
“Three lines of defense”: Define risk framework that clearly identifies roles, responsibilities and monitoring across the organization
Risk appetite statement: Approving an enterprise-level statement of risk appetite and integrating into business activities, e.g. limits
Risk metrics: Focus on key risk metrics in decision-making across the organization, including strategy planning, budgeting, and performance measurement
Chief Compliance Officer and Compliance Program: Emphasis on building enterprise-wide, independent compliance risk management program consistent with regulatory guidance and elevating visibility of CCO and direct reporting line to the board
Risk reporting: Continued challenges with integration of systems and data; yet focus remains on aggregation and analysis across asset classes and business. Enhanced reporting to management and the board
Leading practices
Copyright © 2012 Deloitte Development LLC. All rights reserved.32
Risk management likely continues to be an area of substantial focus, given market conditions and regulatory change
No two institutions are alike: Business strategy and the mix of component businesses and jurisdictions will help drive decision-making
Risk governance – boards have been increasingly proactive in risk management and this will likely continue
The CRO is increasingly a more senior executive position
Even “traditional” risks such as operational risks can benefit from more attention; additional risks may need focus
Continued and increased use of risk measurement models and approaches, including stress testing, require assessment of models and assumptions
Data integrity and data analysis become increasingly important as systems are integrated and reporting needs increase
Take-aways for consideration
As an internal auditor evaluating an ERM Program, the following are considerations:
About DeloitteDeloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
Copyright © 2012 Deloitte Development LLC. All rights reserved.Member of Deloitte Touche Tohmatsu Limited
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting,business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. In addition, this presentation contains summarized survey results, which are included for informational and discussion purposes only. Participant survey responses were taken “as is” and were not confirmed or validated by Deloitte. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.
Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this presentation.