introduction to enterprise risk management (erm) john p. behringer mcgladrey (slides provided by...
TRANSCRIPT
Introduction to Enterprise Risk Management (ERM)
John P. BehringerMcGladrey
(Slides Provided by Rebecca Towne, Director, McGladrey)
Traditional Risk Management vs. ERM
2
ERM
• Strategic, performance focused
• Consistent risk management approach across the enterprise
• Holistic view of key risks
• Considers risk interactions
• Business decisions based on a clear understanding of risks
• Driven by the board and owned by the business
• Supported by a “risk culture”
Traditional Risk Management
• Tactical, compliance focused
• Silo-based processes• Business line or risk type view
• Looks at risks individually
• Business decisions not closely linked to risks
• Driven by Risk Management and Internal Audit
• Supported by rules
A Holistic View of Risk
What is a holistic view of risk?• Aggregated risk exposures across the
enterprise - For example, concentrations by business line,
product, customer segment, industry, or geography
• Consideration of all types of risk, including interactions between risks
• Consideration of alternative, forward-looking scenarios
3
Risk types vary by institution and may include:
• Operational risk• Liquidity risk• Strategic risk• Market risk• Compliance risk• Reputational risk• Legal risk• Environmental• Security
Enterprise Risk Management
Financial institution example of interactions between risks
4
Legal Riskborrowers
under duress
Operational Risk
cut-backs in resources
Market Risk investors leave / values decline
Credit Risk increases
Liquidity Risklosses reduce
funds Reputational Risk
issues become public
Compliance Risk regulatory
scrutiny increases
Strategic RiskNew
restrictions/ requirements
Economic shock
Range of ERM Practices
5
ERM Process
Advanced ERM practices• Formally documented ERM
framework• Decisions based on complex,
data-driven analysis• ERM function and CRO• Active board and Risk Committee
involvement • Highly automated aggregation
and reporting processes• ERM training based on a common
risk language
Basic ERM practices• Policies for each risk type• Decisions based primarily on
management judgment• CFO or other executive responsible for
risk oversight• Less board involvement / reliance on
Audit Committee• Manual aggregation processes• Tactical risk management training
Roles and Responsibilities
Three Lines of Defense
6
1st
2nd
3rd
“Own” the risks associated with their activities and execute risk management processes
Designs & coordinates the implementation of the ERM program
Validates the effectiveness of the ERM program
Business Lines and Functions
Risk Management
Internal Audit
Internal Audit’s Role in ERM
• Boards require objective assurance that risk management processes are working and key risks are being managed effectively.
• Internal (or external) auditors respond to this need by giving assurance on:- The appropriateness of the company’s ERM
framework - The accuracy of risk and control assessments- The effectiveness of risk management processes- The appropriateness of management’s actions to
address risks- The accuracy of risk reports
7
Internal Audit’s Role in ERM
• In smaller institutions, Internal Audit may play a larger role in developing and overseeing the ERM framework, with appropriate safeguards to protect their independence.
- Audit should not be involved in actually managing risk, as this is the responsibility of the management team.
- Audit’s responsibilities should be documented and approved by the Audit Committee.
- Audit cannot give objective assurance on any part of the ERM framework for which it is responsible.
- Audit should not undertake any ERM responsibilities in which the function does not have adequate expertise.
8
ERM Framework
An ERM Framework should include:
• Risk governance
• Risk appetite setting
• Enterprise-wide risk management processes– Identification of risks
– Assessment / measurement of risks
– Monitoring of risks and actions to address risks
– Management of risk through controls/risk responses
– Reporting of risks and the status of action plans
• Integration with business decision-making
• Establishment of a strong risk culture9
Risk Governance
10
• Reviews and approves risk strategies, frameworks, and policies
ERM committeeRisk committees (e.g., ALCO)
ERM functionRisk policies
Risk appetiteIncentives
ERM trainingCapital adequacy Product/strategy review
• Reviews risk reports and recommends/monitors risk limits and action plans
• Oversees the implementation of the ERM framework/controls
Risk Appetite
11
• An effective ERM program relies on the establishment and communication of the company’s risk appetite- Helps employees to understand the
specific risks that the company is willing and not willing to take.
- Provides a means for ensuring that actual risk-taking is consistent with the company’s risk-taking capacity.
Risk Culture
Development of a risk culture is critical to effective ERM
Ways to establish a risk culture that is supportive of risk management:
• “Tone at the top”- Reference the importance of risk management in the company’s objectives- Incorporate risk management into ongoing executive management
communications- Exhibit the desired risk management behaviors
• Code of Conduct or Ethics
• Risk management factors included in incentive and performance evaluation plans
• Clearly defined roles and responsibilities that are consistent with three lines of defense
12
Integrating ERM into decision-making
• To be effective, risk management must be integrated into day-to-day business line activities and corporate decisions- Risk Managers must be involved at the onset of
strategy setting processes
- Risks associated with new products should be considered and communicated to the board
- Analysis of emerging risks and stress tests should influence business decisions
- Risk information should be shared across the company to avoid the same event recurring
13
Risk Management Processes
14
• Risk management processes are grouped in different ways but generally include the following:
• Ideally, each of these processes should be ongoing rather than, for example, annual.
Identify
Assess/measure
Manage/respond
Monitor
Report
Risk Identification
• Risk identification processes should begin with appropriate planning: Mapping of the company’s business lines and processes Determination of the risk types to be included in the process (e.g., operational,
legal, reputational) Identification of resources responsible for the process in each area
• Risks can be identified through various methods, such as interviews, surveys and/or facilitated workshops Different levels of the organization may have
different perspectives on risks Include emerging risks Be wary of risks that are really
the absence of controls
15
Identify
Assess/measure
Manage/
respond
Monitor
Report
Risk Assessment
16
• Best practices in risk assessment include: Identification of risks against key business
objectives Coordination of risk assessments through
interviews, surveys or facilitated workshops to ensure consistency
Use of available information, such as Key Risk Indicators (KRIs), to ensure objectivity
• Assessments of the adequacy of internal controls must also be objective Oversight and use of information, such as the
results of quality control reviews, are critical
Using Risk Assessments
17
Internal Audit assessments are generally used to:• Determine the scope and frequency of audits
• Compare to business line assessments
Business Line assessments are used to:• Prioritize risks across the company
• Identify the top risks to the company
• Identify appropriate responses to risks, as well as areas where the adequacy of controls is too low for the level of risk
• Drive risk-based monitoring processes
Avoid the “black hole” of risk assessment data!
Risk Management / Responses
18
• Risk responses should be based on assessment of loss frequency and impact
- Management actions should be specific to reducing likelihood or impact, depending on which one was assessed as high
The most common risk responses include:- Avoid (get out)- Accept/retain (monitor)- Reduce (institute controls)- Transfer or share (partner with someone)
• Action plans with assigned owners should bedeveloped and monitored by a risk committee
Identify
Assess/measure
Manage/
respond
Monitor
Report
Risk Reporting
• Reporting should also follow from risk assessments, with higher risks reported in more depth
• Emphasis of risk reporting should be on highlighting key risks and recommendations for and status of management action
• Volumes of detail should be avoided, particularly for board reporting
19
Identify
Assess/measure
Manage/
respond
Monitor
Report
• Reports should include early indicators and emerging risks
• Best practices include the development of ERM dashboards that provide a holistic view of risk and thoughtful analysis