enterprise risk management - the canadian chamber of...
TRANSCRIPT
Enterprise Risk ManagementA Practical Approach
2 © SGV & Co. 2011 All rights reserved. Confidential and proprietary.
► Corporate Governance
► What is Enterprise Risk Management
► ERM Process
► Integrating ERM into the Business
Agenda
3 © SGV & Co. 2011 All rights reserved. Confidential and proprietary.
Corporate Governance Framework
Corporate governance is the system, including objectives, rules and procedures, by which business corporations are directed and controlled.
or simply…
It is about doing the right thingsfor the shareholdersand stakeholders in a business.
4 © SGV & Co. 2011 All rights reserved. Confidential and proprietary.
► Oversee the risk management infrastructure
► Review the entity’s risk appetite
► Review the risk profile and the portfolio of risks
► Be aware of the risk mitigation strategies and evaluate their effectiveness
► Oversee the monitoring process for risk management
The Role of the BoardIn the Context of Corporate Governance and Risk Management
5 © SGV & Co. 2011 All rights reserved. Confidential and proprietary.
► Corporate Governance
► What is Enterprise Risk Management
► ERM Process
► Integrating ERM into the Business
Agenda
Enterprise Risk Management (ERM)
7 © SGV & Co. 2011 All rights reserved. Confidential and proprietary.
What is Enterprise Risk Management?
Risk Management: Coordinated activities to direct and control an organization with regard to risk. - ISO 31000
Enterprise Risk Management (ERM) is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the
enterprise, designed to identify potential events that may affect the entity and manage risks to be within its risk appetite, to provide
reasonable assurance regarding the achievement of entity objectives.
- Committee of Sponsoring Organizations of the Treadway Commission (COSO)
8 © SGV & Co. 2011 All rights reserved. Confidential and proprietary.
ERM Helps Address These Issues . . .
AccountabilityWho is on top of
these exposures?
BalanceAre we managing
the right risks?Effectiveness
Are the effectiveness of the mitigation strategies monitored for effectiveness?
CoordinationAre the efforts well-
coordinated to ensure we don’t manage risks in silo?
ComplianceAre the policies and
processes established to manage risks being
complied with?
CompletenessAre we proactively
identifying and managing our key
exposures?
9 © SGV & Co. 2011 All rights reserved. Confidential and proprietary.
► Corporate Governance
► What is Enterprise Risk Management
► ERM Process
Agenda
10 © SGV & Co. 2011 All rights reserved. Confidential and proprietary.
The Enterprise Risk Management ProcessA Practical Approach
ASSESS
1. Assess Risk Management Framework
2. Identify and Prioritize
Risks
3. Source and Measure
Risks
IMPROVE
4. Develop Risk Management
Strategies
5. Assess Risk Management Capabilities
6. Develop Risk Management Action
Plans
MONITOR
7. Monitor Risk Management
Process
8. ReviewResults of Monitoring
9. Improve the Risk Management
Process
Communicate and Consult
11 © SGV & Co. 2011 All rights reserved. Confidential and proprietary.
Key Activities:► Assess the current state of the
Company’s Risk Management framework: ERM goals and objectives, risk management oversight structure, and policies
1. Assess Risk Management Framework
Outputs:► Summary of focus areas for
improvement of the Risk Management framework
► Risk management policy
ASSESS
1. Assess Risk Management Framework
2. Identify and Prioritize
Risks
3. Source and Measure
Risks
IMPROVE
4. Develop Risk Management
Strategies
5. Assess Risk Management Capabilities
6. Develop Risk Management Action Plans
MONITOR
7. Develop Risk Monitoring Process
8. DevelopRisk
Reports
9. Define theRole of Internal Audit in ERM
ASSESS
1. Assess Risk Management Framework
2. Identify and Prioritize
Risks
3. Source and Measure
Risks
IMPROVE
4. Develop Risk Management
Strategies
5. Assess Risk Management Capabilities
6. Develop Risk Management Action Plans
MONITOR
7. Develop Risk Monitoring Process
8. DevelopRisk
Reports
9. Define theRole of Internal Audit in ERM
BOARD OF DIRECTORS
CEO
Risk Management Executive Committee
Internal Audit
CRO CFO CIO, CLOCOO
Business risk management function
Business Unit C
Business Unit B
Business Unit A Division A
Function support
and shared
services
Division B
Division B
Audit Committee
12 © SGV & Co. 2011 All rights reserved. Confidential and proprietary.
Components of the Risk ManagementFramework
§ Executive sponsorship§ Risk management
organization § Ownership and
accountability§ Supervision and oversight
Governance & Organization
Risk Management Strategy
Reporting & Communication
§ Alignment to business objectives
§ Risk tolerance and appetite
§ Policies and procedures§ Risk language/
categorization
§ Message/Audience/ Channel
§ Reporting (External/Internal)
§ Escalation Procedures§ Stakeholder Dialogue
§ Data Repositories§ Workflow Support Tools§ Early-Warning Systems§ Analytical and Modeling Tools
Tools & Technology Culture & Capability
§ Skills Identification§ Training§ Measurement and Reward§ Behavior (Integrity/Ethics)
13 © SGV & Co. 2011 All rights reserved. Confidential and proprietary.
Independent Validation Functions
Sample Risk Management Oversight Structure
Other Executives Directly Responsible for Managing Risks
-- Manage and Report “Manage Risk at the Source”
(cross-functional/enterprise-wide)
RMEC provides oversight and input to CEO and Board to make better informed decisions
RMU supports CRO and facilitates, supports and integrates the process
Comprehensive risk executive
Oversight role
Risk Management Compliance Internal Audit
CFO CIO, CLOCOO
Business Unit C
Business Unit B
Business Unit A Division A
Function support
and shared
services
Division B
Division B
Audit/Risk Committee
CEO
Risk Management Executive Committee
Risk Management Compliance
Internal Audit
Chief RiskOfficer
Business risk management function
Business Unit C
Business Unit B
Business Unit A Division A
Function support
and shared
services
Division B
Division B
Board of Directors
14 © SGV & Co. 2011 All rights reserved. Confidential and proprietary.
Outputs:► Risk Universe► Risk Map
Key Activities:► Identify and categorize risks► Prioritize risks as to Severity of Impact and
Likelihood► Assign risk owners/risk owner groups
2. Identify and Prioritize Risks
ASSESS
1. Assess Risk Management Framework
2. Identify and Prioritize
Risks
3. Source and Measure
Risks
IMPROVE
4. Develop Risk Management
Strategies
5. Assess Risk Management Capabilities
6. Develop Risk Management Action Plans
MONITOR
7. Develop Risk Monitoring Process
8. DevelopRisk
Reports
9. Define theRole of Internal Audit in ERM
ASSESS
1. Assess Risk Management Framework
2. Identify and Prioritize
Risks
3. Source and Measure
Risks
IMPROVE
4. Develop Risk Management
Strategies
5. Assess Risk Management Capabilities
6. Develop Risk Management Action Plans
MONITOR
7. Develop Risk Monitoring Process
8. DevelopRisk
Reports
9. Define theRole of Internal Audit in ERM
CriticalHighModerateLowMinimal
54321
1≤ $-Minimal
2≤ $-Low
3≤ $-Moderate
4≤ $-High
5> $-Critical
Sev
erity
of I
mpa
ct
Financial Impact Measured in Operating Earnings (OE) on an
annualized basis
12
4 37
6
9
8
5
10
Opportunity forRM Improvement
CriticalHighModerateLowMinimal
54321
1≤ $-Minimal
2≤ $-Low
3≤ $-Moderate
4≤ $-High
5> $-Critical
Sev
erity
of I
mpa
ct
Financial Impact Measured in Operating Earnings (OE) on an
annualized basis
12
4 37
6
9
8
5
10
Opportunity forRM Improvement
15 © SGV & Co. 2011 All rights reserved. Confidential and proprietary.
“A business risk is a threat that an event or action will adversely affect the Company’s ability and to achieve its
business objectives to maximize stakeholder value.”
or
“What keeps the Board and Management awake at night?”
Risk Management Context
16 © SGV & Co. 2011 All rights reserved. Confidential and proprietary.
COMPANY’S GOALS, OBJECTIVES
AND STRATEGY
EXTERNALEXTERNAL
WHAT WILLNOT ALLOW
THE COMPANY TO SUCCEED?
WHAT WILLNOT ALLOW
THE COMPANY TO SUCCEED?
BUSINESS RISKS INTERNALINTERNAL
Attributes of Business Risks► Could be existing ► Could be emerging (has a
potential of happening)► Presents an exposure to both
tangible and intangible assets► Can arise from the external
environment, from internal processes and from the lack of information for decision making
► Presents an exposure(downside) if not managed or a potential opportunity (upside) if managed well
How can we use these to our advantage?
Linking Risk to Business Strategy
17 © SGV & Co. 2011 All rights reserved. Confidential and proprietary.
EY Risk UniverseStrategicStrategic OperationsOperations OperationsOperations ComplianceCompliance
Governance: § Board Performance§ Tone at The Top § Control Environment § Corporate Social Responsibility
Planning and Resource Allocation:§ Organizational Structure§ Strategic Planning§ Annual Budgeting§ Forecasting§ JV’s /Alliances and Partnerships § Special Purpose Entities§ Technology Enablement§ Tax Planning
Major Initiatives:§ Vision and Direction§ Planning and Execution§ Measurement & Monitoring§ Technology Implementations§ Business Acceptance
Mergers, Acquisition & Divesture:§ Valuation and Pricing§ Due Diligence§ Execution and Integration§ Emergence of Private Equity Firms as Buyers
Market Dynamics: § Competition§ Macro-Economic Factors§ Lifestyle Trends§ Socio-Political§ Brand Dilution§ Globalization of Brands§ Private Label
Communication & Investor Relations:§ Media Relations § Crisis Communications § Employee Communication
Sales & Marketing:§ Marketing§ Advertising§ Research & Development§ Sales & Pricing§ Customer Support/Management§ Retailer Relationships§ Innovation§ Trend Optimization§ Channel Stuffing/Brand Mortgaging§ Effectiveness of trade spending§ Predatory Pricing§ Maintaining Brand Value/Minimizing Private
Label Encroachmen
Supply Chain:§ Master Planning & Forecasting§ Inventory§ Procurement§ Production§ Distribution§ Transportation & Logistics§ Cost Control§ After Sales Support/Customer Support§ Diversification of Manufacturing§ Increasing Use of Third Party Manufacturing§ Raw Material/Inputs Pricings§ Transfer pricing
People/Human Resources: § Culture§ Recruiting & Retention § Development & Performance § Succession Planning § Compensation & Benefits § Labor Relations
Hazards:§ Natural Events§ Terrors & Malicious Acts§ Business Continuity Planning
Code of Conduct :§ Ethics§ Fraud
Legal: § Contract § Liability§ Intellectual Property § Anti-Corruption§ Global Counterfeiting§ Warranty§ Increased regulatory pressure on
products/ingredients
Regulatory: § Trade § Customs§ Labor § Securities§ Environment
Market:§ Interest Rate§ Foreign Currency§ Commodity§ Derivatives
Liquidity and Credit:§ Cash Management§ Funding§ Hedging§ Credit and Collections§ Insurance
Accounting and Reporting: § Accounting, Reporting and
Disclosure§ Internal Control
Capital Structure: § Debt§ Equity§ Pension Funds§ Stock Options
ComplianceCompliance
Information Technology: § IT Management§ Information Protection§ IT Availability/Continuity§ Decision Support§ IT Architecture§ IT Outsourcing
Physical Assets: § Real Estate§ Property, Plant & Equipment§ Inventory
Tax Operations: § Tax Department Operations§ Tax Technology and Knowledge
Management
FinancialFinancial
Regulatory: § Data Protection and Privacy§ International Dealings§ Product Quality/Safety§ Health & Safety§ Competitive Practices/
Anti-Trade§ Tax Compliance and Tax Authority
Examination Management§ Sales and Marketing
18 © SGV & Co. 2011 All rights reserved. Confidential and proprietary.
Risk Self-Assessment (RSA)Our RSA Approach
Business Business Unit 1Unit 1
Business Business Unit 2Unit 2
Business Business Unit 3Unit 3
Business Business Unit 4Unit 4
Business Business Unit 5Unit 5
Risk Self-Assessment
Survey
Strategic Risks
Step 3
-
Executive Validation Interviews
Consolidated
Risk Profile
Step 2
Business Unit (BU) Level Risks
Business Unit (BU) Level Risks
Strategic RisksStrategic Risks
Step 1
RSA Workshop
Step 3
BU1 BU2 BU3 BU4
19 © SGV & Co. 2011 All rights reserved. Confidential and proprietary.
Risk Profile – Sample Output
CriticalHighModerateLowMinimal
54321
1≤ $-Minimal
2≤ $-Low
3≤ $-Moderate
4≤ $-High
5> $-Critical
Seve
rity
of Im
pact
Financial Impact Measured in Operating Earnings (OE) on an
annualized basis
12
4 37
6
9
8
5
10
Likelihood
Rank Tier 1 Risks
1 Regulatory compliance
2 Technology Implementation
3 Price volatility
4 Capital/funding
5 Product chain
6 Pipeline shrinkage
7 Socio-Political
8 Terror & malicious acts
9 Corporate social responsibility
10 Natural events
20 © SGV & Co. 2011 All rights reserved. Confidential and proprietary.
ORMI Map – Sample Output
CriticalHighModerateLowMinimal
54321
1≤ $-Minimal
2≤ $-Low
3≤ $-Moderate
4≤ $-High
5> $-Critical
Leve
l of
Ris
k
Financial Impact Measured in Operating Earnings (OE) on an
annualized basis
12
4
3
7
69
8
5
10
Opportunities for RMI
Rank Tier 1 Risks
1 Regulatory compliance
2 Technology Implementation
3 Price volatility
4 Capital/funding
5 Product chain
6 Pipeline shrinkage
7 Socio-Political
8 Terror & malicious acts
9 Corporate social responsibility
10 Natural events
21 © SGV & Co. 2011 All rights reserved. Confidential and proprietary.
Monitor ►Areas of high inherent risk where controls are deemed adequate by management may require monitoring.
Improve ►High inherent exposure with a low level of control must be a key priority for risk management strategy development and controls improvement.
Accept ►Risks with low inherent exposure that also have a low level of control may be consciously accepted by the organization.
Optimize►Areas of low inherent exposure with a high level of control may generate opportunities to optimize the process and control for efficiency.
The output of an effective Risk Self-Assessment provides insight that is ACTIONABLE.
Risk Management Effectiveness MapA Way to Focus on Action, Not Analysis
Minimal
Minimal CriticalOpportunity for RM Improvement
AcceptAccept
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.
ImproveImprove
OptimizeOptimize
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.
MonitorMonitor
Optimize
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.
Monitor
Accept
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.
Improve
Leve
l of R
isk
Critical
22 © SGV & Co. 2011 All rights reserved. Confidential and proprietary.
The top 10 risks for organizations(ranking from 2010 in brackets)
1. Regulation and compliance (1)2. Cost cutting (6)3. Managing talent (4)4. Pricing pressure (15)5. Emerging technologies (13)6. Market risks (New)7. Expansions of government’s role
(New)8. Slow recovery or double-dip
recession (3)9. Social acceptance risk/corporate
social responsibility(CSR) (9)10.Access to credit (2)
Predicted risk level in 2013 –Key to symbols More Same Less
23 © SGV & Co. 2011 All rights reserved. Confidential and proprietary.
The top 10 opportunities for organizations
1. Improving execution of strategy across business functions
2. Investing in process, tools and training to achieve greater productivity
3. Investing in IT4. Innovating in products, services
and operations5. Emerging market demand growth6. Investing in cleantech7. Excellence in investor relations8. New marketing channels9. Mergers and acquisitions10. Public-private partnership
Predicted opportunity level in 2013 – Key to symbols More Same Less
Top 10 global business opportunitiesCustomer
reachOperational
agilityCost
competitivenessStakeholderconfidence
24 © SGV & Co. 2011 All rights reserved. Confidential and proprietary.
3. Source and Measure Risks
Outputs:► Risk Driver Analysis ► Risk Measurements
Key Activities:► Source business risk► Measure business risk
R EGU LATO RYRISK
EXTERNAL
INFLUENCES
INTERNAL
INFLUENCES
LEGISLATION
COMPETITOR ACTIO NS
COMPLEX REGULATORY
ENVIROMENT OF INDUSTRY
INVESTMENT NEEDED TO COMPLY W ITH REGULATORY REQUIRMENTS
INVESTMENTS IN DIFFERENT COUNTRIES
RAPPORT W ITH
REGULATORSEXPOSURE TO M ULTIPLE
REGULATORY AGENCIES
STAFF KNOW LEDG E
AND MOTIVATION
CHANGES IN THE REGULATORY OFFICE
PROCESS FOR MO NITO RING COMPLIANCE
INCREASING PUBLIC
ENVIROMENTAL CONCERN
MO
ASSESS
1. Assess Risk Management Framework
2. Identify and Prioritize
Risks
3. Source and Measure
Risks
IMPROVE
4. Develop Risk Management
Strategies
5. Assess Risk Management Capabilities
6. Develop Risk Management Action Plans
MONITOR
7. Develop Risk Monitoring Process
8. DevelopRisk
Reports
9. Define theRole of Internal Audit in ERM
ASSESS
1. Assess Risk Management Framework
2. Identify and Prioritize
Risks
3. Source and Measure
Risks
IMPROVE
4. Develop Risk Management
Strategies
5. Assess Risk Management Capabilities
6. Develop Risk Management Action Plans
MONITOR
7. Develop Risk Monitoring Process
8. DevelopRisk
Reports
9. Define theRole of Internal Audit in ERM
25 © SGV & Co. 2011 All rights reserved. Confidential and proprietary.
4. Develop Risk Management Strategies
Key Activities:► Develop risk management strategies ► Validate risk management strategies cross-
functionally
Outputs:► Risk Management Strategies
RISK MANAGEMENT STRATEGYAccept Compliance Risk as an inherent aspect of the business and industry; but Reducethe risk of occurrence by establishing controls that ensure 100% compliance Influence regulations to the extent possible and permissible.
RISK DRIVER RISK MANAGEMENT STRATEGIES
1. Inability to determine the status of the Company’s compliance with all regulatory, contractual, financial and other requirements at any single point in time.
•Establish a monitoring process in each functional area responsible for compliance with regulatory, contractual, financial and other requirements.
•Establish policies, procedures and reports for the regular and periodic reporting to management of the status of the Company’s compliance in each functional area.
2. Regulatory requirements that are complicated and costly to comply with
•Work to influence regulation through active participation and cooperation in industry activities including study groups for new/upcoming regulations, educational campaign, and other venuesto share industry information, ideas and insights
•Ensure active participation in industry groups that promote the Company’s interests
COMPLIANCE RISK. Inability to adapt and comply with the various business requirements and regulations (industry standards, financial reporting, regulatory, and technical quality) resulting in sanctions from various regulatory agencies.
AVOID• Divest• Prohibit• Stop
• Target • Screen• Eliminate
AVOID• Divest• Prohibit• Stop
• Target • Screen• Eliminate
RETAIN• Accept• Reprice• Self insure
• Offset • Plan
RETAIN• Accept• Reprice• Self insure
• Offset • Plan
REDUCE• Disperse • Control
REDUCE• Disperse • Control
TRANSFER• Insure• Reinsure• Hedge• Indemnity
• Securitize • Share• Outsource
TRANSFER• Insure• Reinsure• Hedge• Indemnity
• Securitize • Share• Outsource
EXPLOIT• Allocate• Diversity• Expand• Create• Redesign
• Reorganize • Price• Arbitrage• Renegotiate• Influence
EXPLOIT• Allocate• Diversity• Expand• Create• Redesign
• Reorganize • Price• Arbitrage• Renegotiate• Influence
ASSESS
1. Assess Risk Management Framework
2. Identify and Prioritize
Risks
3. Source and Measure
Risks
IMPROVE
4. Develop Risk Management
Strategies
5. Assess Risk Management Capabilities
6. Develop Risk Management Action Plans
MONITOR
7. Develop Risk Monitoring Process
8. DevelopRisk
Reports
9. Define theRole of Internal Audit in ERM
ASSESS
1. Assess Risk Management Framework
2. Identify and Prioritize
Risks
3. Source and Measure
Risks
IMPROVE
4. Develop Risk Management
Strategies
5. Assess Risk Management Capabilities
6. Develop Risk Management Action Plans
MONITOR
7. Develop Risk Monitoring Process
8. DevelopRisk
Reports
9. Define theRole of Internal Audit in ERM
26 © SGV & Co. 2011 All rights reserved. Confidential and proprietary.
5. – 6. Assess Risk Management Capabilities, and Develop Risk Management Action Plans
Key Activities:► Assess current and desired future state of risk
management capabilities► Develop risk management action plans to close
gaps
Outputs:► Risk Management Capabilities Assessment► Risk Management Action Plans
ManagementReports
People Systems and DataMethodologiesProcessesPolicies
• Development of an
ManagementReports
People Systems and DataMethodologiesProcessesPolicies
• Development of an
Organization focused on continuous improvement of business risk management
Optimizing
Capabilities are characteristic ofindividuals, not of the organization
Initial
Processestablished and repeating; reliance on people is reduced
Repeatable
Policies, processes and standards defined and formalized across the company
Defined
Risks measured and managed quantitatively and aggregated on an enterprise-wide basis
Managed
Risk Management Capabilities AssessmentRisk Management Capabilities AssessmentRisk Management Capabilities AssessmentRisk Management Capabilities Assessment
ASSESS
1. Assess Risk Management Framework
2. Identify and Prioritize
Risks
3. Source and Measure
Risks
IMPROVE
4. Develop Risk Management
Strategies
5. Assess Risk Management Capabilities
6. Develop Risk Management Action Plans
MONITOR
7. Develop Risk Monitoring Process
8. DevelopRisk
Reports
9. Define theRole of Internal Audit in ERM
ASSESS
1. Assess Risk Management Framework
2. Identify and Prioritize
Risks
3. Source and Measure
Risks
IMPROVE
4. Develop Risk Management
Strategies
5. Assess Risk Management Capabilities
6. Develop Risk Management Action Plans
MONITOR
7. Develop Risk Monitoring Process
8. DevelopRisk
Reports
9. Define theRole of Internal Audit in ERM
27 © SGV & Co. 2011 All rights reserved. Confidential and proprietary.
7. - 9. Monitor Activities
Key Activities:► Design risk reporting process and risk reports► Define role of Internal Audit in monitoring the
effectiveness of the risk management process
Outputs:► Risk monitoring process ► Risk reports
Encodes PRPurchase Order
(PO)1
2
3
4
PR1
2
PURCHASING STAFF
ApprovesPO
GENER AL MAN AGER/PRESIDENT
Approved PO1
2
3
4
PR1
PURCHASING STAFF
Approved PO
1
2
3
4
PR1
file
To Accounting
To Distribution
To Stockroom
Distributes PO to user depts.Sends PO. Confirms receipt.
A. The General Manager approves POs with value of P50,000 and less, while thePresident approves PO above P50,000.
1
2
Approved PR1
Updates PO transaction file
PO Transaction
File
Generates PO
Attaches PR to POSends PR toRequesting
Dept.
1
Purchase Order(PO)
1
2
3
4
PURCHASING STAFF
To Requesting Department
A
B
C
D
Encodes PRPurchase Order
(PO)1
2
3
4
PR1
2
PURCHASING STAFF
ApprovesPO
GENER AL MAN AGER/PRESIDENT
Approved PO1
2
3
4
PR1
PURCHASING STAFF
Approved PO
1
2
3
4
PR1
file
To Accounting
To Distribution
To Stockroom
Distributes PO to user depts.Sends PO. Confirms receipt.
A. The General Manager approves POs with value of P50,000 and less, while thePresident approves PO above P50,000.
1
2
Approved PR1
Updates PO transaction file
PO Transaction
File
Generates PO
Attaches PR to POSends PR toRequesting
Dept.
1
Purchase Order(PO)
1
2
3
4
PURCHASING STAFF
To Requesting Department
A
B
C
D
ASSESS
1. Assess Risk Management Framework
2. Identify and Prioritize
Risks
3. Source and Measure
Risks
IMPROVE
4. Develop Risk Management
Strategies
5. Assess Risk Management Capabilities
6. Develop Risk Management Action Plans
MONITOR
7. Develop Risk Monitoring Process
8. DevelopRisk
Reports
9. Define theRole of Internal Audit in ERM
ASSESS
1. Assess Risk Management Framework
2. Identify and Prioritize
Risks
3. Source and Measure
Risks
IMPROVE
4. Develop Risk Management
Strategies
5. Assess Risk Management Capabilities
6. Develop Risk Management Action Plans
MONITOR
7. Develop Risk Monitoring Process
8. DevelopRisk
Reports
9. Define theRole of Internal Audit in ERM
28 © SGV & Co. 2011 All rights reserved. Confidential and proprietary.
Key Success Factors to ERM
► Executive Leadership and Support
► Effective Change Enablement and Communication Process
► Project Management and Infrastructure Support
► Access to Tools and Resources
► Periodic Monitoring and Performance Measurement
29 © SGV & Co. 2011 All rights reserved. Confidential and proprietary.
ASSESS
1. Assess Risk Management Framework
2. Identify and Prioritize
Risks
3. Source and Measure
Risks
IMPROVE
4. Develop Risk Management
Strategies
5. Assess Risk Management Capabilities
6. Develop Risk Management Action Plans
MONITOR
7. Monitor Risk Management
Process
8. ReviewResults of Monitoring
9. Improve the Risk Management
Process
Communicate and Consult
The ERM ProcessAnd the ISO 31000 Risk Management Framework for Managing Risk
30 © SGV & Co. 2011 All rights reserved. Confidential and proprietary.
ASSESS
1. Assess Risk Management Framework
2. Identify and Prioritize
Risks
3. Source and Measure
Risks
IMPROVE
4. Develop Risk Management
Strategies
5. Assess Risk Management Capabilities
6. Develop Risk Management Action Plans
MONITOR
7. Monitor Risk Management
Process
8. ReviewResults of Monitoring
9. Improve the Risk Management
Process
Communicate and Consult
The ERM ProcessAnd the ISO 31000 Risk Management Process for Managing Risk
31 © SGV & Co. 2011 All rights reserved. Confidential and proprietary.
► Corporate Governance
► What is Enterprise Risk Management
► ERM Process
► Integrating ERM into the Business
Agenda
32 © SGV & Co. 2011 All rights reserved. Confidential and proprietary.
Integrating ERM into the Business
Strategic Plan and Financial Target Development
Strategy andValue Drivers
Long Range Strategic Plan
Strategic Risk Assessment
Strategic Initiatives & Financial Targets
Business Planning, Budget and Forecast Process
Business Level
Objectives
Detailed Planning
Analysis For Business
Plan
Business Level Risk
Assessment
BusinessLevel Budget,
Forecast & Operating
Plan
Quarterly Business Performance Review Process
Quarterly Revenue & Earnings
Quarterly ReviewAgainst
BusinessPlan
Quarterly Risk
Assessment Review
Business Level
Performance Measurement
Ongoing Risk & Control Monitoring and Support
InternalAudit
Regulatory & Compliance
InternalControl
Other Risk & ControlGroups
1
2
3
4
Strategic Risk
Assessment
Business Level Risk
Assessment
Quarterly Risk
Assessment Review
Creates enterprise-level risk profile aligned to strategy and business objectives
Provides basis for structured consideration of risk relative to business plan process
Routinely challenges the impact of key risks on budget, plan, forecast and performance
Provides key risk and control groups with routine updates on emerging risk issues
Thank you.