Enterprise Risk Management

1
Enterprise Risk Management

• Lecture 9

2
Why the Interest in ERM?

• Performance bar is raised for Financial
  Executives
• Your company can optimize overall returns and
  minimize risks
• Leverage existing control processes to meet
  emerging risk governance demands
• Rating agencies are incorporating ERM evaluation
  to overall corporate rating
• US Sentencing Guidelines offer consideration for
  effective risk management

3
Evolution of ERM COSO Internal Control Framework

• Operations
• Compliance
• Financial Reporting

4
Evolution of ERM COSO Enterprise Risk Management

• Strategy
• Operations
• Reporting
• Compliance

5
Defining ERM Portfolio View
Possible Combinations of Risk and Return
Unattainable Combinations
Modified from www.monkeychimp.com
6
Defining ERM Key Concepts

• Common Language
• Common Measurement
• Gross / Inherent Risk
• Response/Control/Mitigation
• Net / Residual Risk

7
Implementing ERM Getting Started

• Get Buy in from the Top
• Consolidate Risk Lists
• Document Existing Risk Management Silos
• Identify Gaps in Coverage
• Decide Next Steps
• Fill Gaps to Demonstrate Value
• Establish Repeatable Process

Ad Hoc / Heroics Initial Tasking
8
Implementing ERM Leverage Existing Processes

• Internal Audit
• Compliance
• Strategic Planning
• Operational Planning
• Board Reporting

Common Risk List Assess Gross Magnitude and
Likelihood Prioritization of Risks Self
Assessment of Response and Control
Capabilities Consensus View on Net
Risk Disclosure of Risk Exposures
9
Risk and Control Focus
10
Implementing ERM Establishing a Process

• Get Management Talking About Enterprise Risk
• Develop Common Language
• Develop a Common Measurement Basis
• Establish an Enterprise Risk Management Framework
• Dedicate Staff
• Develop Expertise

Repeatable Manageable
11
Implementing ERM Key Questions

• Quality Are we talking the right kinds of risk?
• Quantity Are we talking the proper amount of
  risk to meet our objectives?
• Resources Are we allocating resources
  (financial, human, etc) efficiently to manage
  risks?
• Advantage Do we have a competitive advantage in
  a particular type of risk?
• Challenges
• Cultural
• Operational

Optimizing?
12
Sample ERM Implementation Lifecycle

• Sample potential ERM Implementation Project
  Lifecycle
• Comprehensive Risk Identification
• Review existing risk lists
• Interview senior management
• Consolidate findings and report
• Collect and Index Extant Risk Related Process
  Documents
• Find policies and procedures related to
  significant risks
• Assess gaps in coverage i.e. risk identified but
  no related processes
• Assess gross risk
• Interview business unit managers to determin risk
  events, potential impact and likelihood of
  occurrence
• Review existing risk modeling at the business
  unit level
• Assess risk materiality and prioritize risks
• Document findings and report

13
Sample ERM Implementation Lifecycle ( Contd)

• Assess capabilities to control and respond to
  risk
• Determine organizational structure and identify
  risk management capabilities
• Assist business unit managers in self assessing
  their capabilities to control and respond to risk
  using objective benchmarking criteria to
  determine relative strength
• Determine the risk and capability alignment (one
  to one, many to one, one to many) and assess
  interdependencies
• Document findings and report
• Assess residual risks
• Determine residual risk exposure based on higher
  risk materiality and lower related capabilities
• Document findings and report
• Develop Gap Closing Plan
• For higher risk materiality and lower related
  capabilities develop action plans to either
  modify risk materiality or strengthen
  capabilities
• Execute Gap Closing Initiatives
• Additional projects need to be scoped

14
Value Proposition Demonstrate Good Governance

• Transparency to Stakeholders
• Reveal natural hedges
• Understand how a single event or multiple events
  may impact the company as a whole
• Broader understanding of the aggregate exposure
  to risk
• No surprise
• Clarify Roles and Responsibilities
• Assign risks with no clear owner (reputation
  risk)
• Enhance collaboration in response to events

15
Risk Environment
Interest Rate Risk Foreign Exchange Hedging
Programs
Customer Financing Prepaid Services Loans Bonds
Product Pricing Reserves Consumer
Behavior Catastrophes Reputation
People Processes Technology Outsourcing Fraud
16
Response and Control Capabilities

• Compliance
• Ethics
• Internal Audit
• Sarbanes Oxley
• Human Resources
• Technology
• Product Development
• Communications
• Insurance Programs
• Capital Management

Risk management capabilities exist through out
the enterprise Front office / sales Middle
office / support Back office / processing
17
ERM Heat Map
18
Decisions Under Risk and Uncertainty
19
Risk Governance

• Decision making and controls related to risk
  taking
• Interagency Statement on Complex Structured
  Financial Transactions
• Rating agency consideration of ERM
• Organizational Sentencing Guidelines
• Internal Audits role in ERM
• Shape the control environment to maximize value,
  remember that wanting greater returns usually
  implies taking more risk

20
Identifying Elevated Risk CSFTs
Characteristics of Elevated Risk Complex
Structured Financial Transactions

• Lack economic substance or business purpose
• Questionable accounting, regulatory, or tax
  objectives
• Create misleading disclosures
• Involve circular transfers of risks
• Involve undocumented agreements that impact
  regulatory treatment
• Economic terms inconsistent with market norms
• Provide disproportionate compensation

21
Organizational Sentencing Guidelines Overview

• Established by the US Sentencing Commission
• Most recent revisions effective November 1, 2004
• Applies to many forms of organizations
• Companies
• Not for profits
• Unions
• Governments
• Others
• Focus on the effectiveness of compliance and
  ethics program

22
Effectiveness Criteria Responsibility and
Authority

• Governing authority
• Is knowledgeable of the compliance and ethics
  program
• Exercises oversight of implementation and
  effectiveness
• Specific high level individuals shall have
  responsibility for the compliance and ethics
  program
• Specific individuals shall be delegated
  operational responsibility for the compliance and
  ethics program
• Report to governing authority / high level
  individuals
• Adequate resources
• Appropriate authority

23
Effectiveness Criteria Procedures

• Communication and training
• Monitoring and auditing
• Periodic evaluation of effectiveness
• Anonymous reporting processes
• Enforcement and consequences
• Risk assessment

24
ERM, Ethics and Compliance

• Adopting ERM is one way to demonstrate a
  commitment to good governance
• Enterprise wide risk assessments can help put the
  need for compliance and ethics program in context
• Compliance risk assessments can leverage the
  enterprise risk assessment and management process
• A coordinated testing strategy can save time and
  effort and reduce information overload

25
Standard Poors Approach

• Enterprise risk management will become a
  separate major category of our analysis
• The companies that are seen to be the best
  performers in this category will be those that
  have robust risk management processes that are
  carried out across the entire enterprise and that
  form a basis for informing and directing the
  firms fundamental decision making

26
Standard Poors Classification

• Weak
• Limited capabilities to cosistently identify,
  measure, and manage risk exposures across the
  company and thereny limit losses.
• Execution of risk management is sporadic
• Losses cannot be expected to be limited n
  accordance with perdetermined tolerance
  guidelines
• Business managers have yet to adopt a risk
  management framework
• Risk management satisifies regulatory minimums
  but is not regularly applied to business decisions

• Excellent
• Extremely strong capabilities to consistently
  identity, measure, and manage risk exposures and
  losses within the companies predetermined
  tolerance guidance
• Consistent evidence of the practice of optimizing
  risk adjusted returns
• Risk and risk management are always important
  considerations in corporate decision making

27
Standard Poors Cultural Indicators

• Most Favorable
• Corporate risk management responsibility rest
  with a senior influential officer
• With regular reporting and access to the board
• Risk tolerance is clearly articulated and
  consistent with firm goals and expectations
• Risk management polices and procedures are
  clearly stated and widely known
• Management view its risk management capabilities
  as a competitive advantage

• Least Favorable
• Corporate risk management responsibility rest
  with a middle manager or is nonexistent
• Access to the board is ad doc or limited
• Risk tolerance is unclear and may vary from
  situation to situation
• Risk management policies and procedures are not
  fully documented
• Management views risk management as a frustrating
  constraint imposed by external policies

28
Standard Poors Control Indicators

• Most Favorable
• Demonstrate process to identify significant risk
  experience
• All significant risk monitored on a regular basis
  with timely and accurate measures of risk
• Clearly documented limits and standards for risk
  taking and management that are widely understood
• Risk limits are enforced with clear predetermined
  consequence for exceeding limits
• Defined loss event post mortem review to
  determine if process improvements are necessary

• Least Favorable
• Not all significant risk exposures have been
  identified
• Risk monitoring is informal, irregular or
  nonexistent
• Risk limits not documented or are too broad to
  have an impact on operational decision making
• Review of compliance with limits is irregular and
  there are often no consequence for exceeding
  limits
• Minimal or limited review of loss events

29
ERM Value

• Better Decision Making
• Facilitates risk management gap analysis
• Helps optimize gap closing spend and activities
• Common language and measurement of risk allows
  for more efficient risk monitoring and
  communication (eliminate duplication of effort)
• Also provides a context to align risk and control
  responsibilities
• Provides a meaningful context for external
  stakeholders
• Shareholders aware of risk to strategy and
  management's process to respond and control
  unwanted risk levels
• Rating agencies understand how risk is factored
  into decision making to optimize risk and reward
• Demonstrate good tone at the top corporate
  governance