Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enterprise Risk Management Dr. Doug Webster, CGFM, PMP Financial Management in Challenging Times May 13, 2009.

Similar presentations


Presentation on theme: "Enterprise Risk Management Dr. Doug Webster, CGFM, PMP Financial Management in Challenging Times May 13, 2009."— Presentation transcript:

1 Enterprise Risk Management Dr. Doug Webster, CGFM, PMP Financial Management in Challenging Times May 13, 2009

2 Why Worry About Risk? One of the most commonly heard words in the news for more than a year has been: One of the most commonly heard words in the news for more than a year has been:Change Those in public service are the ones who have to deal with and implement this change. Those in public service are the ones who have to deal with and implement this change. But how will you plan for and react to change? But how will you plan for and react to change? A reluctance to change causes many to seek a “burning platform” A reluctance to change causes many to seek a “burning platform”

3

4 The change that you internally implement in response to external change can take different forms Urgency and Risk Options Proactive Change Reactive Change Reactive Change in Crisis Change Drives Risk

5 Managing Change = Managing Risk Managing an organization requires more than tradeoffs between costs and benefits Managing an organization requires more than tradeoffs between costs and benefits Risk must be considered, but traditional risk management has failed us Risk must be considered, but traditional risk management has failed us Risk management is: Risk management is: Often reactive and not strategically driven Often reactive and not strategically driven Typically conducted within functional silos Typically conducted within functional silos Inconsistently applied across the organization Inconsistently applied across the organization Enterprise level change requires enterprise level risk management that overcomes these shortcomings Enterprise level change requires enterprise level risk management that overcomes these shortcomings

6 So What is ERM? "…the discipline by which an organization in any industry assesses, controls, exploits, finances, and monitors risks from all sources for the purpose of increasing the organization's short- and long-term value to its stakeholders.” "…the discipline by which an organization in any industry assesses, controls, exploits, finances, and monitors risks from all sources for the purpose of increasing the organization's short- and long-term value to its stakeholders.” ~ Casualty Actuarial Society, Enterprise Risk Management Committee, 2003 Enterprise Risk Management Committee, 2003

7 Key Principles ERM seeks to optimize risk management across the enterprise and address the shortcomings of traditional risk management ERM seeks to optimize risk management across the enterprise and address the shortcomings of traditional risk management ERM is: ERM is: 1. strategically aligned 2. multi-functional/comprehensive 3. consistently applied across the enterprise

8 1) Strategically Driven Effective risk management: Effective risk management: 1. Responds to risks external to the organization that could impact strategic goals and objectives 2. Manages internal risks that could impede achievement of strategic goals and objectives Current risk management is not driven by the strategic planning process (which is often a compliance exercise) Current risk management is not driven by the strategic planning process (which is often a compliance exercise)

9 2) Comprehensive Missed risks due to lack of ownership (risk in the “white space”*) Missed risks due to lack of ownership (risk in the “white space”*) Ignorance of impact of risk management decisions outside of the silo Ignorance of impact of risk management decisions outside of the silo * Rummler, Geary A.; Alan P. Brache (1995). Improving Performance: How to Manage the White Space in the Organization Chart Functional Risk Areas Functional Area “Silos” Financial Reporting IT Capital Investment IT Security ??

10 3) Consistent Risk management must be consistently applied across the organization (consistent risk ROI) Risk management must be consistently applied across the organization (consistent risk ROI) Risks are balanced with rewards within an explicit risk tolerance Risks are balanced with rewards within an explicit risk tolerance Functional Risk Areas Functional & Thematic Area “Silos” Internal Controls COOPBudgetDemographicsEtc. Portfolio-based Risk assessment and management

11 Stages of Risk Management Analytical: Analytical: Analysis of specific risks Analysis of specific risks Integrational: Integrational: Evaluation of a risk portfolio Evaluation of a risk portfolio Decisional: Decisional: Integration of risk into business decision making Integration of risk into business decision making Financial IT Security Physical Security Programmatic Etc. Risk Portfolio Strategically Aligned Business Decisions Other Business Considerations (Rewards)

12 Risk Management Stakeholders “Risk management” personnel (actuaries, auditors, IT security specialists, etc.) “Risk management” personnel (actuaries, auditors, IT security specialists, etc.) Financial IT Security Physical Security Programmatic Etc. Risk Portfolio }

13 Risk Management Stakeholders Operational management Operational management } Financial IT Security Physical Security Programmatic Etc. Risk Portfolio Strategically Aligned Business Decisions Other Business Considerations (Rewards)

14 Risk Management Stakeholders Executive/strategic management Executive/strategic management Risk Portfolio Strategically Aligned Business Decisions Other Business Considerations (Rewards) }

15 Isn’t OMB A-123 Risk Management? Internal Control is an integral component of an organization’s management that provides reasonable assurance that the following objectives are being achieved: Effectiveness and efficiency of operations, Effectiveness and efficiency of operations, Reliability of financial reporting, and Reliability of financial reporting, and Compliance with applicable laws and regulations. Compliance with applicable laws and regulations. —GAO/AIMD-00-21.3.1, November 1999

16 ERM is much more than A-123 Difference #1 Difference #1 A-123 is focused on Internal Controls A-123 is focused on Internal Controls ERM focuses broadly on risk management (internal and external) across the enterprise ERM focuses broadly on risk management (internal and external) across the enterprise Difference #2 Difference #2 A-123 / Internal Control reviews look backwards A-123 / Internal Control reviews look backwards ERM looks forward into the future ERM looks forward into the future Difference #3 Difference #3 A-123 lacks two attributes found in current ERM Frameworks and practice: A-123 lacks two attributes found in current ERM Frameworks and practice: Comprehensive - covers ALL risks in an organization, not just internal controls Comprehensive - covers ALL risks in an organization, not just internal controls Consistent– evaluates functional risks on a common basis across the entire organization Consistent– evaluates functional risks on a common basis across the entire organization

17 Requirements for ERM Success Risk management is viewed as an inherent function of all management and decision making Risk management is viewed as an inherent function of all management and decision making Senior leadership establishes an explicit risk tolerance, and balances risk vs. reward in terms of strategic goals and objectives Senior leadership establishes an explicit risk tolerance, and balances risk vs. reward in terms of strategic goals and objectives Operational and executive management balances risk across functions comprehensively and consistently Operational and executive management balances risk across functions comprehensively and consistently Risk professionals are viewed as partners in managing risk, not the “owners” of risk Risk professionals are viewed as partners in managing risk, not the “owners” of risk ERM Requires More than Risk Management…it Requires Organizational Change Management ERM Requires More than Risk Management…it Requires Organizational Change Management Learn and dialog: www.federalerm.com Learn and dialog: www.federalerm.com


Download ppt "Enterprise Risk Management Dr. Doug Webster, CGFM, PMP Financial Management in Challenging Times May 13, 2009."

Similar presentations


Ads by Google