Enterprise Risk Management Discussion American Gas Association Risk Management Committee Meeting

Transcription

1 Enterprise Risk Management Discussion American Gas Association Risk Management Committee Meeting July 17, 2017

2 Objectives Provide perspective on the evolution of Enterprise Risk Management (ERM) New 2017 proposed COSO ERM Framework ERM program enhancements Copyright 2017 Deloitte Development LLC. All rights reserved. 2

3 Why is Enterprise Risk Management (ERM) evolving? Copyright 2017 Deloitte Development LLC. All rights reserved. 3

4 ERM continues to evolve but why? Failure to prevent surprises Reputational and strategic risks continue to occur and were not on the ERM radar False precision Over-emphasis on developing a heat map and quantifying risks vs. order of magnitude of impact to the business Lack of effectiveness Focused largely on the internal known risk universe where developing partnerships with business units was not top of mind. Even with ERM in place, known risks such as compliance events cost companies billions of dollars Value for decision making Information was largely retrospective and did not support future decision making or provide strategic risk insights Copyright 2017 Deloitte Development LLC. All rights reserved. 4

5 Traditional ERM programs haven t focused on strategic risks; even though they have the most significant impact on value Proportion of significant losses in market value caused by each type of risk over the past decade 1 86% Strategic 9% Operational 2% Financial reporting 3% Legal and compliance Proportion of time spent on each type of risk 6% Strategic 42% Operational 13% Legal and compliance 39% Financial reporting 1 Reducing Risk Management s Organizational Drag, CEB, 2015 and How To Live With Risks, Harvard Business Review, July-August 2015 Copyright 2017 Deloitte Development LLC. All rights reserved. 5

6 What are strategic risks? Manage risks to help create value (future growth) New product development Rewarded risks Growth and expansion New markets Value Regulatory compliance Unrewarded risks Fraud Disasters Manage risks to help protect value (existing assets and capital) Copyright 2017 Deloitte Development LLC. All rights reserved. 6

7 Strategic risks are at the forefront given the new reality of the business world Technological changes and advances Increased mergers and acquisitions Changing consumer demographics and behavior Regulatory changes 24/7 feedback culture Business model innovation Globalization Increased reliance on third parties Copyright 2017 Deloitte Development LLC. All rights reserved. 7

8 How can ERM help add value to in a changing landscape? Leading ERM programs can provide value in some of the following ways: Key enterprise risks focus on the most important impact to the company s strategy, business and reputation Focus on both value creation as well as value preservation Evaluate operational risks for changes; these risks are part of business as usual and managed by the appropriate BUs / functions Focus on uncovering unknown or emerging risks versus the known risk universe Bring outside-in perspectives and help confront cognitive and institutional biases Integrate with the strategy function and align risk processes to embed risk management Copyright 2017 Deloitte Development LLC. All rights reserved. 8

9 Perspective on the proposed 2017 COSO ERM Framework Copyright 2017 Deloitte Development LLC. All rights reserved. 9

10 What is ERM according to COSO? 2004 COSO ERM Definition ERM is a process, effected by an entity s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives COSO ERM Definition The culture, capabilities, and practices, integrated with strategy-setting and its execution, that organizations rely on to manage risk in creating, preserving, and realizing value. COSO released the draft ERM framework June 2016, public comments were due September 2016, and the final version will be published in Copyright 2017 Deloitte Development LLC. All rights reserved. 10

11 The proposed COSO 2017 ERM Framework also looks to evolve ERM and recommends that risk be aligned with strategy and performance Risk Governance and Culture Risk Strategy and Objective Setting Risk in Execution Risk Information, Communication, and Reporting Monitoring Enterprise Risk Management Performance COSO released the draft ERM framework June 2016, public comments were due September 2016, and the final version will be published June Copyright 2017 Deloitte Development LLC. All rights reserved. 11

12 COSO ERM framework why the change and what s different? Key differences from COSO s 2004 ERM framework: Provides greater insight into the role of ERM when setting and executing strategy Enhances alignment between performance and ERM Expands reporting for greater stakeholder transparency Accommodates evolving technologies and growing data analytics use Why the change? The complexity of risks has changed, new risks have emerged, and boards have enhanced their awareness and oversight of ERM while asking for improved risk reporting. Copyright 2017 Deloitte Development LLC. All rights reserved. 12

13 What does an enhanced ERM program look like? Copyright 2017 Deloitte Development LLC. All rights reserved. 13

14 What does going from ERM 1.0 to ERM 2.0 mean? ERM 1.0 ERM 2.0 Risk culture Check the box compliance view of risk management; stand-alone activity Risk management is embedded in the operating rhythm of the business and integrated into strategic planning Role of ERM function Serves as the scorekeeper of risks; not well integrated with the rest of the business ERM team acts as a Center of Excellence to advise the business Risk management process Identifies and tracks known risks through rearview analysis Focuses on uncovering emerging risks against the known risk universe Risk focus Focuses on operational and compliance risks Provides a risk lens to strategic priorities and helps to identify risks that can threaten or enhance competitive advantage Link to strategy Identifies and mitigates risks that could impact strategic execution Identifies and analyzes emerging risks that may impact strategic assumptions and may require changes to the company s strategy or direction Value protection focus Value creation and protection focus Copyright 2017 Deloitte Development LLC. All rights reserved. 14

15 A framework for enhancing ERM Companies can go beyond traditional ERM and provide additional insight on strategic and emerging risks (creating value) while also enabling the business to better manage operational, reputational, safety, regulatory and financial risks (preserving value). Alignment with Strategy Governance & Culture Framework for Enhancing ERM Reporting & Technology Business & Operating Model Copyright 2017 Deloitte Development LLC. All rights reserved. 15

16 Establish enhanced governance and reporting the building blocks Board of Directors and its Committees ERM Team Executive Committee Management Risk Committee Business Unit (Based on Organizational Structure) Business Unit / Functional Risk Management Key Governance and Reporting Elements Greater focus on the most important risks to reputation, business, strategy and emerging risks Aggregates issues for escalation to executives/board Focused discussion on top and emerging risks, related mitigation plans, and strategic risk initiatives Helps to enable connecting the dots across the organization and leveraging best practices Allows for better trending analysis Drives risk mitigation and evaluation of mitigation plan effectiveness Copyright 2017 Deloitte Development LLC. All rights reserved. 16

17 Place a greater focus on strategic risks How to manage Consider risks to strategic positioning Consider risks to strategic execution Sample capabilities Stress test assumptions underlying new strategies and initiatives Assess if strategic objectives are still achievable Consider potential risk impacts of decisions ERM team to act as a center of excellence and facilitate use of these tools and techniques Identify risks that would keep your company from achieving strategic objectives Identify, assess, and monitor emerging challenges to chosen strategies Monitor market shifts or trends to provide insights to leadership and inform decisions Scenario Planning Assumptions Testing War Gaming Copyright 2017 Deloitte Development LLC. All rights reserved. 17

18 Enable more effective management of business as usual operational risks How to manage Provide guidance on how to establish consistent identification, assessment, mitigation and reporting on risks across the businesses Sample capabilities Deploy a central ERM team to act as a center of excellence and work closely with the business to help them better manage risk and connect the dots across the company Facilitate deep dives on top risks and deploy analytics to understand potential risk drivers and exposure in order to better design mitigation strategies and key risk indicators Report on key risks and trends with a consistent format and cadence aligned to your strategy Consistent reporting framework, cadence and dashboards Deep dive tools (e.g. bow-tie diagram) and risk analytics Standard risk management process, templates and guidance Copyright 2017 Deloitte Development LLC. All rights reserved. 18 1

19 What can an enhanced ERM program help your company do? A leading ERM program can enable companies to make more informed decisions, create more resilient strategies, and be better prepared for the unexpected. Take smarter risks Take risks in a consistent way across the company with eyes wide open, while creating resilient strategies in the face of internal and external change Plan for the unexpected Be prepared when threats to your strategy and business start to reveal themselves Be vigilant about change Continuously monitor leading indicators to understand when you should change course or put actions into place, before it s too late Copyright 2017 Deloitte Development LLC. All rights reserved. 19

20 Copyright 2017 Deloitte Development LLC. All rights reserved. Questions?

21 Contact Information Jessica Swenson Deloitte Risk and Financial Advisory Tel: Mobile: Deloitte & Touche LLP 655 West Broadway, Suite 700 San Diego, CA Copyright 2017 Deloitte Development LLC. All rights reserved. 21

22 This presentation contains general information only and Deloitte Advisory is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte Advisory shall not be responsible for any loss sustained by any person who relies on this presentation. Copyright 2017 Deloitte Development LLC. All rights reserved. 22

23 As used in this document, Deloitte Advisory means Deloitte & Touche LLP, which provides audit and enterprise risk services; Deloitte Financial Advisory Services LLP, which provides forensic, dispute, and other consulting services; and its affiliate, Deloitte Transactions and Business Analytics LLP, which provides a wide range of advisory and analytics services. Deloitte Transactions and Business Analytics LLP is not a certified public accounting firm. These entities are separate subsidiaries of Deloitte LLP. Please see for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. Copyright 2017 Deloitte Development LLC. All rights reserved.