cae - session #1 - enterprise risk management - howe...enhanced risk analysis using data analytics...

5/2/19

1

NEXTGEN ENTERPRISE RISK MANAGEMENT (ERM)Risk-Informed Performance Management

The IIA Philadelphia Chapter2019 Spring Summit - May 3, 2019‘Elevating Performance - Taking a Leadership Role in Raising the Standards’

DISCLAIMER, TRADEMARK, AND COPYRIGHT NOTICEPHILADELPHIA CHAPTER OF THE IIA

• The Philadelphia Chapter was established in 1943, and is the 5th affiliate chapter of The Institute of Internal Auditors (IIA). The Philadelphia Chapter, its board of governors, its officers, The IIA , and today’s presenters are not responsible or liable for any acts or omissions and specifically disclaim any and all responsibility or liability for acts or omissions.

• The material contained herein or communicated is for informational purposes only and should not be construed as accounting, financial, tax, or legal advice. Please seek guidance specific to your questions or concerns from qualified advisors.

• All content including graphics or art work is protected by law and may not be duplicated in any form with out the express written permission from the Philadelphia Chapter.

• © 2015 Philadelphia Chapter of the IIA

IIA PHILADELPHIA CHAPTER 2019 SPRING SUMMIT #SpringSummit2019

• Benefits of effective ERM

• ERM journey

• NextGen ERM

• Enterprise Risk Assessment (ERA)

• Performance management dashboard

#SpringSummit2019IIA PHILADELPHIA CHAPTER 2019 SPRING SUMMIT

Agenda

5/2/19

2

Provides visibility into the top risks that may impact strategic goals

Enhances insights into existing and emerging risks

Improves line of sight into drivers of volatility which could impact performance and strategic goals

Advances cross-functional alignment by evaluating risks at the system level while defining priorities for those companies engaged in the process

Enhances alignment to the level of risk-reward that is acceptable for the enterprise and BUs


Benefits of effective ERM?


ERM is a journey and has transformed in recent years…

Value Creation

Business Performance

Ris k Enabled PerformanceManagement

Leading practices► Expanded consideration to emerging risks ► Directly links key risks to performance drivers► Enhanced risk analysis using data analytics► Integrated risk and performance management► Aligned with P&L and balance sheet, enabling

risk-adjusted real-time decision support ► Formalized Operational Risk Framework► Defining future trends and predictive indicators► Allows scenario analysis and stress testing► Provides tangible value linked to risk management

Ris k ins ight and performance improvement

Ris k ident ificat ion and report ing

Historical focus - practices► Independent risk identification and assessment process► Designed to provide risk reporting to Leadership and the Board► Process independent of operations and performance management► Evaluation of current exposures based on historical perspectives► Informational and/or compliance focus

Expanded focus

Foundational ERM

Integrate risk and performance management

to create a competitive advantage

Value Protection


Risk AssessmentAgreement to the key risks to performance and the drivers of the

risks.

PerformanceAgreement to the Key

Performance Measures of the organization and what

drives performance.

StrategyMaximize success by driving value, minimizing cost and improving risk coverage.

A methodology to demonstrate alignment between the performance dimensions that an organization does not want to compromise, and its enterprise risks. The enhanced alignment

supports informed decision-making on what actions to augment, eliminate or exploit in order to increase the probability of executing to or beyond performance targets.

Our NextGen ERM Methodology enhances traditional ERM practices to enable performance oriented enterprise risk assessments (ERA)

Probable OutcomesAssess the probable

variance in performance outcomes (+/-) through

risk adjusted performance.

EY’s NextGen ERM Methodology

5/2/19

3

• Organizations are revisiting their ERM practices and considering risk in both strategy-setting process and in driving performance.

• They position risk in the context of performance, rather than as the subject of an isolated exercise.

• ERM practices should enable companies to better anticipate risk so they can get ahead of it, with an understanding that change creates opportunities, not simply the potential for crises.

• ERM provides a framework for organizations to enhance enterprise resilience and long-term viability.

#SpringSummit2019IIA PHILADELPHIA CHAPTER 2019 SPRING SUMMITSource: COSO September 2017 publication: Enterprise Risk Management — Integrating with Strategy and Performance

Weaving ERM into existing processes


EnterpriseRisk

Management Process

Monitor

AssessReport

Identify

Respond

Provide holistic and targeted views of risk to support efficient management decision making

Analyze risk trends and monitor status of risk mitigation plans

Determine risk response and perform risk treatment; remediation or acceptance

Identify and report risks by evaluating risk and performing risk assessments against controls, policies and standards

Define the strategy, resource alignment, standard processes, monitoring activities, and controls necessary to consistently and effectively manage enterprise risks to an acceptable level

Assess identified risks against standard risk rating criteria

Risk areas (processes, initiatives, applications, assets) are identified and enter the risk framework

Enterprise Risk Mitigation

Enterprise Risk Assessment

The Enterprise Risk Assessment is a foundational step to identifying and mitigating risks


• The output of an Enterprise Risk Assessment (ERA) can be used to identify board level reporting risks

• Board-level risks are located in the “Improve” section of the below 2x2 matrix (e.g. Tier 1 risks)

• Risks that should inform the audit plan are located in the “test” section

TestHigh-risk exposures with strong controls and management efforts form the focus for audit to provide assurance that controls are adequate and efficient.

ImproveHigh-risk exposures with low levels of control form the priorities for improvement opportunities.

OptimizeLow-risk exposures with a moderate level of control consciously may be accepted, or there may be a focus to optim ize the processes and controls for greater efficiency.

MonitorLow-risk exposures accompanied by a lower level of control often are considered emerging and must remain a focus of ongoing monitoring efforts.

Risks in this quadrant form the basis of the audit plan

Risks in this quadrant should be the focus of board reporting

An ERA 2X2 action matrix recommends risk response plans and highlights board-level reporting risks

5/2/19

4


From a heat-map to a performance management dashboard


Brian Barker

Senior Manager, Risk Transformation – Enterprise Risk Management

►6+ years leading risk engagements►10+ years project management and team leadership experience►Managed large scale ERM program implementations and ongoing ERM operations

for global organizations►Experienced in ERM in numerous industries, including life sciences, consumer

products and retail, diversified industrial products, technology, and government►Led diagnostics, enterprise risk assessments, and response planning and reporting

engagements across industries

Today’s facilitator

Follow us on Social Media:

@IIA Philadelphia

Institute of Internal Auditors Philadelphia Chapter

hhtps://www.linkedingroups.com/groups/106938

Visit our FB page: IIA Philadelphia

Click here to add contact info

IIA PHILADELPHIA CHAPTER 2019 SPRING SUMMIT #SpringSummit2019

cae - session #1 - enterprise risk management - howe...enhanced risk analysis using data analytics...

Documents