Download presentation
Published byArlene Robertson Modified over 9 years ago
1
Introduction to Enterprise Risk Management (ERM)
John P. Behringer McGladrey (Slides Provided by Rebecca Towne, Director, McGladrey)
2
Traditional Risk Management vs. ERM
Tactical, compliance focused Silo-based processes Business line or risk type view Looks at risks individually Business decisions not closely linked to risks Driven by Risk Management and Internal Audit Supported by rules ERM Strategic, performance focused Consistent risk management approach across the enterprise Holistic view of key risks Considers risk interactions Business decisions based on a clear understanding of risks Driven by the board and owned by the business Supported by a “risk culture”
3
A Holistic View of Risk What is a holistic view of risk?
Risk types vary by institution and may include: Operational risk Liquidity risk Strategic risk Market risk Compliance risk Reputational risk Legal risk Environmental Security What is a holistic view of risk? Aggregated risk exposures across the enterprise For example, concentrations by business line, product, customer segment, industry, or geography Consideration of all types of risk, including interactions between risks Consideration of alternative, forward- looking scenarios
4
Enterprise Risk Management
Financial institution example of interactions between risks Economic shock Credit Risk increases Liquidity Risk losses reduce funds Reputational Risk issues become public Compliance Risk regulatory scrutiny increases Strategic Risk New restrictions/ requirements Legal Risk borrowers under duress Operational Risk cut-backs in resources Market Risk investors leave / values decline
5
Advanced ERM practices
ERM Process Range of ERM Practices Advanced ERM practices Formally documented ERM framework Decisions based on complex, data-driven analysis ERM function and CRO Active board and Risk Committee involvement Highly automated aggregation and reporting processes ERM training based on a common risk language Basic ERM practices Policies for each risk type Decisions based primarily on management judgment CFO or other executive responsible for risk oversight Less board involvement / reliance on Audit Committee Manual aggregation processes Tactical risk management training
6
Roles and Responsibilities
Three Lines of Defense 1st Business Lines and Functions “Own” the risks associated with their activities and execute risk management processes 2nd Risk Management Designs & coordinates the implementation of the ERM program 3rd Internal Audit Validates the effectiveness of the ERM program
7
Internal Audit’s Role in ERM
Boards require objective assurance that risk management processes are working and key risks are being managed effectively. Internal (or external) auditors respond to this need by giving assurance on: The appropriateness of the company’s ERM framework The accuracy of risk and control assessments The effectiveness of risk management processes The appropriateness of management’s actions to address risks The accuracy of risk reports
8
Internal Audit’s Role in ERM
In smaller institutions, Internal Audit may play a larger role in developing and overseeing the ERM framework, with appropriate safeguards to protect their independence. Audit should not be involved in actually managing risk, as this is the responsibility of the management team. Audit’s responsibilities should be documented and approved by the Audit Committee. Audit cannot give objective assurance on any part of the ERM framework for which it is responsible. Audit should not undertake any ERM responsibilities in which the function does not have adequate expertise.
9
ERM Framework An ERM Framework should include: Risk governance
Risk appetite setting Enterprise-wide risk management processes Identification of risks Assessment / measurement of risks Monitoring of risks and actions to address risks Management of risk through controls/risk responses Reporting of risks and the status of action plans Integration with business decision-making Establishment of a strong risk culture
10
Risk Governance ERM function ERM committee Risk committ ees Board
oversight ERM committee Risk committ ees (e.g., ALCO) ERM function Risk policies Risk appetite Incentives ERM training Capital adequacy Product/strategy review Reviews and approves risk strategies, frameworks, and policies Reviews risk reports and recommends/monitors risk limits and action plans Oversees the implementation of the ERM framework/controls
11
Risk Appetite An effective ERM program relies on the establishment and communication of the company’s risk appetite Helps employees to understand the specific risks that the company is willing and not willing to take. Provides a means for ensuring that actual risk-taking is consistent with the company’s risk-taking capacity.
12
Risk Culture Development of a risk culture is critical to effective ERM Ways to establish a risk culture that is supportive of risk management: “Tone at the top” Reference the importance of risk management in the company’s objectives Incorporate risk management into ongoing executive management communications Exhibit the desired risk management behaviors Code of Conduct or Ethics Risk management factors included in incentive and performance evaluation plans Clearly defined roles and responsibilities that are consistent with three lines of defense
13
Integrating ERM into decision-making
To be effective, risk management must be integrated into day-to-day business line activities and corporate decisions Risk Managers must be involved at the onset of strategy setting processes Risks associated with new products should be considered and communicated to the board Analysis of emerging risks and stress tests should influence business decisions Risk information should be shared across the company to avoid the same event recurring
14
Risk Management Processes
Identify measure Assess/ respond Manage/ Monitor Report Risk management processes are grouped in different ways but generally include the following: Ideally, each of these processes should be ongoing rather than, for example, annual.
15
Risk Identification Risk identification processes should begin with appropriate planning: Mapping of the company’s business lines and processes Determination of the risk types to be included in the process (e.g., operational, legal, reputational) Identification of resources responsible for the process in each area Risks can be identified through various methods, such as interviews, surveys and/or facilitated workshops Different levels of the organization may have different perspectives on risks Include emerging risks Be wary of risks that are really the absence of controls Identify measure Assess/ respond Manage/ Monitor Report
16
Risk Assessment Best practices in risk assessment include:
Identification of risks against key business objectives Coordination of risk assessments through interviews, surveys or facilitated workshops to ensure consistency Use of available information, such as Key Risk Indicators (KRIs), to ensure objectivity Assessments of the adequacy of internal controls must also be objective Oversight and use of information, such as the results of quality control reviews, are critical
17
Using Risk Assessments
Internal Audit assessments are generally used to: Determine the scope and frequency of audits Compare to business line assessments Business Line assessments are used to: Prioritize risks across the company Identify the top risks to the company Identify appropriate responses to risks, as well as areas where the adequacy of controls is too low for the level of risk Drive risk-based monitoring processes Avoid the “black hole” of risk assessment data!
18
Risk Management / Responses
Risk responses should be based on assessment of loss frequency and impact Management actions should be specific to reducing likelihood or impact, depending on which one was assessed as high The most common risk responses include: Avoid (get out) Accept/retain (monitor) Reduce (institute controls) Transfer or share (partner with someone) Action plans with assigned owners should be developed and monitored by a risk committee Identify measure Assess/ respond Manage/ Monitor Report
19
Risk Reporting Reporting should also follow from risk assessments, with higher risks reported in more depth Emphasis of risk reporting should be on highlighting key risks and recommendations for and status of management action Volumes of detail should be avoided, particularly for board reporting Reports should include early indicators and emerging risks Best practices include the development of ERM dashboards that provide a holistic view of risk and thoughtful analysis Identify measure Assess/ respond Manage/ Monitor Report
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.