Introduction to Enterprise Risk Management (ERM). John P. Behringer McGladrey (Slides Provided by Rebecca Towne, Director, McGladrey). Traditional Risk Management vs. ERM. Traditional Risk Management Tactical, compliance focused Silo-based processes Business line or risk type view
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Introduction to Enterprise Risk Management (ERM) John P. Behringer McGladrey (Slides Provided by Rebecca Towne, Director, McGladrey)
Traditional Risk Management vs. ERM • Traditional Risk Management • Tactical, compliance focused • Silo-based processes • Business line or risk type view • Looks at risks individually • Business decisions not closely linked to risks • Driven by Risk Management and Internal Audit • Supported by rules • ERM • Strategic, performance focused • Consistent risk management approach across the enterprise • Holistic view of key risks • Considers risk interactions • Business decisions based on a clear understanding of risks • Driven by the board and owned by the business • Supported by a “risk culture”
A Holistic View of Risk • Risk types vary by institution and may include: • Operational risk • Liquidity risk • Strategic risk • Market risk • Compliance risk • Reputational risk • Legal risk • Environmental • Security What is a holistic view of risk? • Aggregated risk exposures across the enterprise • For example, concentrations by business line, product, customer segment, industry, or geography • Consideration of all types of risk, including interactions between risks • Consideration of alternative, forward-looking scenarios
Enterprise Risk Management Financial institution example of interactions between risks Economic shock
ERM Process Range of ERM Practices • Advanced ERM practices • Formally documented ERM framework • Decisions based on complex, data-driven analysis • ERM function and CRO • Active board and Risk Committee involvement • Highly automated aggregation and reporting processes • ERM training based on a common risk language • Basic ERM practices • Policies for each risk type • Decisions based primarily on management judgment • CFO or other executive responsible for risk oversight • Less board involvement / reliance on Audit Committee • Manual aggregation processes • Tactical risk management training
Roles and Responsibilities Three Lines of Defense 1st Business Lines and Functions • “Own” the risks associated with their activities and execute risk management processes 2nd Risk Management • Designs & coordinates the implementation of the ERM program 3rd Internal Audit • Validates the effectiveness of the ERM program
Internal Audit’s Role in ERM • Boards require objective assurance that risk management processes are working and key risks are being managed effectively. • Internal (or external) auditors respond to this need by giving assurance on: • The appropriateness of the company’s ERM framework • The accuracy of risk and control assessments • The effectiveness of risk management processes • The appropriateness of management’s actions to address risks • The accuracy of risk reports
Internal Audit’s Role in ERM • In smaller institutions, Internal Audit may play a larger role in developing and overseeing the ERM framework, with appropriate safeguards to protect their independence. • Audit should not be involved in actually managing risk, as this is the responsibility of the management team. • Audit’s responsibilities should be documented and approved by the Audit Committee. • Audit cannot give objective assurance on any part of the ERM framework for which it is responsible. • Audit should not undertake any ERM responsibilities in which the function does not have adequate expertise.
ERM Framework An ERM Framework should include: • Risk governance • Risk appetite setting • Enterprise-wide risk management processes • Identification of risks • Assessment / measurement of risks • Monitoring of risks and actions to address risks • Management of risk through controls/risk responses • Reporting of risks and the status of action plans • Integration with business decision-making • Establishment of a strong risk culture
Risk Governance • Reviews and approves risk strategies, frameworks, and policies • Reviews risk reports and recommends/monitors risk limits and action plans • Oversees the implementation of the ERM framework/controls
Risk Appetite • An effective ERM program relies on the establishment and communication of the company’s risk appetite • Helps employees to understand the specific risks that the company is willing and not willing to take. • Provides a means for ensuring that actual risk-taking is consistent with the company’s risk-taking capacity.
Risk Culture Development of a risk culture is critical to effective ERM Ways to establish a risk culture that is supportive of risk management: • “Tone at the top” • Reference the importance of risk management in the company’s objectives • Incorporate risk management into ongoing executive management communications • Exhibit the desired risk management behaviors • Code of Conduct or Ethics • Risk management factors included in incentive and performance evaluation plans • Clearly defined roles and responsibilities that are consistent with three lines of defense
Integrating ERM into decision-making • To be effective, risk management must be integrated into day-to-day business line activities and corporate decisions • Risk Managers must be involved at the onset of strategy setting processes • Risks associated with new products should be considered and communicated to the board • Analysis of emerging risks and stress tests should influence business decisions • Risk information should be shared across the company to avoid the same event recurring
Risk Management Processes • Risk management processes are grouped in different ways but generally include the following: • Ideally, each of these processes should be ongoing rather than, for example, annual.
Risk Identification • Risk identification processes should begin with appropriate planning: • Mapping of the company’s business lines and processes • Determination of the risk types to be included in the process (e.g., operational, legal, reputational) • Identification of resources responsible for the process in each area • Risks can be identified through various methods, such as interviews, surveys and/or facilitated workshops • Different levels of the organization may have different perspectives on risks • Include emerging risks • Be wary of risks that are really the absence of controls
Risk Assessment • Best practices in risk assessment include: • Identification of risks against key business objectives • Coordination of risk assessments through interviews, surveys or facilitated workshops to ensure consistency • Use of available information, such as Key Risk Indicators (KRIs), to ensure objectivity • Assessments of the adequacy of internal controls must also be objective • Oversight and use of information, such as the results of quality control reviews, are critical
Using Risk Assessments • Internal Audit assessments are generally used to: • Determine the scope and frequency of audits • Compare to business line assessments • Business Line assessments are used to: • Prioritize risks across the company • Identify the top risks to the company • Identify appropriate responses to risks, as well as areas where the adequacy of controls is too low for the level of risk • Drive risk-based monitoring processes • Avoid the “black hole” of risk assessment data!
Risk Management / Responses • Risk responses should be based on assessment of loss frequency and impact • Management actions should be specific to reducing likelihood or impact, depending on which one was assessed as high • The most common risk responses include: • Avoid (get out) • Accept/retain (monitor) • Reduce (institute controls) • Transfer or share (partner with someone) • Action plans with assigned owners should be • developed and monitored by a risk committee
Risk Reporting • Reporting should also follow from risk assessments, with higher risks reported in more depth • Emphasis of risk reporting should be on highlighting key risks and recommendations for and status of management action • Volumes of detail should be avoided, particularly for board reporting • Reports should include early indicators and emerging risks • Best practices include the development of ERM dashboards that provide a holistic view of risk and thoughtful analysis