Introduction to Enterprise Risk Management (ERM)

John P. BehringerMcGladrey

(Slides Provided by Rebecca Towne, Director, McGladrey)

Traditional Risk Management vs. ERM

2

ERM

• Strategic, performance focused

• Consistent risk management approach across the enterprise

• Holistic view of key risks

• Considers risk interactions

• Business decisions based on a clear understanding of risks

• Driven by the board and owned by the business

• Supported by a “risk culture”

Traditional Risk Management

• Tactical, compliance focused

• Silo-based processes• Business line or risk type view

• Looks at risks individually

• Business decisions not closely linked to risks

• Driven by Risk Management and Internal Audit

• Supported by rules

A Holistic View of Risk

What is a holistic view of risk?• Aggregated risk exposures across the

enterprise - For example, concentrations by business line,

product, customer segment, industry, or geography

• Consideration of all types of risk, including interactions between risks

• Consideration of alternative, forward-looking scenarios

3

Risk types vary by institution and may include:

• Operational risk• Liquidity risk• Strategic risk• Market risk• Compliance risk• Reputational risk• Legal risk• Environmental• Security

Enterprise Risk Management

Financial institution example of interactions between risks

4

Legal Riskborrowers

under duress

Operational Risk

cut-backs in resources

Market Risk investors leave / values decline

Credit Risk increases

Liquidity Risklosses reduce

funds Reputational Risk

issues become public

Compliance Risk regulatory

scrutiny increases

Strategic RiskNew

restrictions/ requirements

Economic shock

Range of ERM Practices

5

ERM Process

Advanced ERM practices• Formally documented ERM

framework• Decisions based on complex,

data-driven analysis• ERM function and CRO• Active board and Risk Committee

involvement • Highly automated aggregation

and reporting processes• ERM training based on a common

risk language

Basic ERM practices• Policies for each risk type• Decisions based primarily on

management judgment• CFO or other executive responsible for

risk oversight• Less board involvement / reliance on

Audit Committee• Manual aggregation processes• Tactical risk management training

Roles and Responsibilities

Three Lines of Defense

6

1st

2nd

3rd

“Own” the risks associated with their activities and execute risk management processes

Designs & coordinates the implementation of the ERM program

Validates the effectiveness of the ERM program

Business Lines and Functions

Risk Management

Internal Audit

Internal Audit’s Role in ERM

• Boards require objective assurance that risk management processes are working and key risks are being managed effectively.

• Internal (or external) auditors respond to this need by giving assurance on:- The appropriateness of the company’s ERM

framework - The accuracy of risk and control assessments- The effectiveness of risk management processes- The appropriateness of management’s actions to

address risks- The accuracy of risk reports

7

Internal Audit’s Role in ERM

• In smaller institutions, Internal Audit may play a larger role in developing and overseeing the ERM framework, with appropriate safeguards to protect their independence.

- Audit should not be involved in actually managing risk, as this is the responsibility of the management team.

- Audit’s responsibilities should be documented and approved by the Audit Committee.

- Audit cannot give objective assurance on any part of the ERM framework for which it is responsible.

- Audit should not undertake any ERM responsibilities in which the function does not have adequate expertise.

8

ERM Framework

An ERM Framework should include:

• Risk governance

• Risk appetite setting

• Enterprise-wide risk management processes– Identification of risks

– Assessment / measurement of risks

– Monitoring of risks and actions to address risks

– Management of risk through controls/risk responses

– Reporting of risks and the status of action plans

• Integration with business decision-making

• Establishment of a strong risk culture9

Risk Governance

10

• Reviews and approves risk strategies, frameworks, and policies

ERM committeeRisk committees (e.g., ALCO)

ERM functionRisk policies

Risk appetiteIncentives

ERM trainingCapital adequacy Product/strategy review

• Reviews risk reports and recommends/monitors risk limits and action plans

• Oversees the implementation of the ERM framework/controls

Risk Appetite

11

• An effective ERM program relies on the establishment and communication of the company’s risk appetite- Helps employees to understand the

specific risks that the company is willing and not willing to take.

- Provides a means for ensuring that actual risk-taking is consistent with the company’s risk-taking capacity.

Risk Culture

Development of a risk culture is critical to effective ERM

Ways to establish a risk culture that is supportive of risk management:

• “Tone at the top”- Reference the importance of risk management in the company’s objectives- Incorporate risk management into ongoing executive management

communications- Exhibit the desired risk management behaviors

• Code of Conduct or Ethics

• Risk management factors included in incentive and performance evaluation plans

• Clearly defined roles and responsibilities that are consistent with three lines of defense

12

Integrating ERM into decision-making

• To be effective, risk management must be integrated into day-to-day business line activities and corporate decisions- Risk Managers must be involved at the onset of

strategy setting processes

- Risks associated with new products should be considered and communicated to the board

- Analysis of emerging risks and stress tests should influence business decisions

- Risk information should be shared across the company to avoid the same event recurring

13

Risk Management Processes

14

• Risk management processes are grouped in different ways but generally include the following:

• Ideally, each of these processes should be ongoing rather than, for example, annual.

Identify

Assess/measure

Manage/respond

Monitor

Report

Risk Identification

• Risk identification processes should begin with appropriate planning: Mapping of the company’s business lines and processes Determination of the risk types to be included in the process (e.g., operational,

legal, reputational) Identification of resources responsible for the process in each area

• Risks can be identified through various methods, such as interviews, surveys and/or facilitated workshops Different levels of the organization may have

different perspectives on risks Include emerging risks Be wary of risks that are really

the absence of controls

15

Identify

Assess/measure

Manage/

respond

Monitor

Report

Risk Assessment

16

• Best practices in risk assessment include: Identification of risks against key business

objectives Coordination of risk assessments through

interviews, surveys or facilitated workshops to ensure consistency

Use of available information, such as Key Risk Indicators (KRIs), to ensure objectivity

• Assessments of the adequacy of internal controls must also be objective Oversight and use of information, such as the

results of quality control reviews, are critical

Using Risk Assessments

17

Internal Audit assessments are generally used to:• Determine the scope and frequency of audits

• Compare to business line assessments

Business Line assessments are used to:• Prioritize risks across the company

• Identify the top risks to the company

• Identify appropriate responses to risks, as well as areas where the adequacy of controls is too low for the level of risk

• Drive risk-based monitoring processes

Avoid the “black hole” of risk assessment data!

Risk Management / Responses

18

• Risk responses should be based on assessment of loss frequency and impact

- Management actions should be specific to reducing likelihood or impact, depending on which one was assessed as high

The most common risk responses include:- Avoid (get out)- Accept/retain (monitor)- Reduce (institute controls)- Transfer or share (partner with someone)

• Action plans with assigned owners should bedeveloped and monitored by a risk committee

Identify

Assess/measure

Manage/

respond

Monitor

Report

Risk Reporting

• Reporting should also follow from risk assessments, with higher risks reported in more depth

• Emphasis of risk reporting should be on highlighting key risks and recommendations for and status of management action

• Volumes of detail should be avoided, particularly for board reporting

19

Identify

Assess/measure

Manage/

respond

Monitor

Report

• Reports should include early indicators and emerging risks

• Best practices include the development of ERM dashboards that provide a holistic view of risk and thoughtful analysis