Efficient risk management. Presentation to the Interdepartmental Accounting Group 2013 conference

Transcription

1 Efficient risk management Presentation to the Interdepartmental Accounting Group 2013 conference

2 Outline - Enterprise Risk Management a definition - The promise vs the reality. What s the problem? - What does a good risk management process look like? - Lessons for making it work - Questions and discussion 2

3 Context Enterprise risk management (ERM) - The method and process for the whole organisation to manage risk and seize opportunity to achieve objectives. Promise ERM should help the organisation achieve its objectives by helping to identify areas of highest or emerging priority and focus attention and resource on them Reality But ERM is not (usually) effectively supporting the Board, CEO or Senior Exec level in a practical and structured way Why not and how can we make it work? 3

4 The ERM Promise vs. Reality Promise Regular executive level conversation Insightful summary new information Gets the executive on the same page Exec takes collective responsibility Drives action on the highest priority areas Live feedback loop showing progress Embedded into normal BAU processes Quick and easy Reality Not fit for the executive, becomes irrelevant Death by register hundreds of data points No new information - themes, trends, aggregation No actions or feedback cycle Silos with no conversation across the organisation An overhead burden - a compliance activity Systems driven Lost in the jargon what are we doing again? 4

5 Complexity Standards Numerous standards and guidance materials APRA Prudential Standards CPS 220 Risk Management CPS 510 Governance AS/NZS ISO 31000:2009 Risk Management Principles and Guidelines Others Safety Risk Management, Better Practice Guide Risk Management Clinical Risk Management / Quality IT risk management standards COBIT - A Business Framework for the Governance and Management of Enterprise IT ITIL Framework Compliance & Risk Management The Foundation - Governance, Risk and Compliance Credit Risk Management (Basel), Guidelines on Recognition of an External Credit Assessment Institution, Submission to the Basel Committee on Banking Supervision Credit Risk Modelling: Current Practices and Applications

6 Complexity Models Numerous ERM models Risk Management Framework Risk Vision and Strategy Definition of Risk Strategy and the Principles for the Management of Risk Risk Management Framework Policy Overarching Framework Governing the Management of Risk Risk Appetite Statement Appetite setting process and articulation of bank-wide and operational limits Principal Risk Policies Policies for the Management, Measurement and Mitigation of Risk Liquidity & Funding Credit Risk Market Risk Risk Insurance Risk Pension Risk Model Risk Operational Risk Technology Risk Regulatory Risk Strategic and Reputation Risk Tax Risk Business Risk Control Standards Key Control Framework to optimise risk/reward Business Unit Operational Procedures Individual Risk Procedures for the Day-to-Day Management of Risk Framework and supporting documents owned by the Board Risk Management Policies owned by the Executive Owned and implemented by BU s Risk Strategy Risk Profile Risk Appetite Risk Mitigation Performance Optimisation Monitoring & Reporting Variance Analysis & Remediation 6

7 Complexity Systems Numerous vendors and products Vendor SAI Global SAS Cura Oracle Protecht Methodware Tickit Systems SAP IBM BearingPoint Convercent EMC Thomas Reuters Wynard MetricStream Protiviti Agiliance Lockpath Brinqa Product name Compliance 360 / Lawlex SAS Enterprise GRC Cura Haley WORMS Enterprise Risk Assessor Tickit On Demand SAP OpenPages GRC R2Go Convercent RSA Archer egrc Accelus Wynyard Risk Management MetricStream IT GRC Solution Governance Portal Agiliance RiskVision OpenGRC Keylight Brinqa Risk Analytics 7

8 So what is an alternative? Risk is a fundamental plank of the framework of internal control 8

9 So what is an alternative?... Go back to basics a top down approach Start with the objectives and the pay off Reinforce with design principles Collaborative design and implementation Support and build capacity and capability 9

10 Design Principles - example Vision / Aspiration Processes Key objectives / benefits: Facilitates insightful quarterly conversation at Executive level new information Provides simple visibility of relevant risks to management team - sharing Drives actions and has a visible impact on the risk profile Costs less than $X Key risks, their potential consequences, impacts and key controls need to be documented Enabling ICT systems to come after the practice is embedded into the culture People Systems Utilise a single set of definitions for key risk areas (categories) A single enterprise risk register Common language - one set of risk materiality definitions (consequence, likelihood, risk heatmap and risk treatment & escalation) Executive monitor enterprise-wide risk profile on a quarterly basis Audit and Risk Committee monitors the system of risk management and assurance Division Heads will own risks Divisions can design their own fit for purpose process so long as it uses the common language Structure Risk management function to: Maintain policy, process & templates Provide support & advice to divisions (training, assessment, facilitation, etc) Facilitate analysing, monitoring & reporting of top risks to Executive (quarterly) 10

11 Risk management function Collaborative design visualise a process Office of CEO Quarterly Risk Management Report Corporate Division Division X Division Y Key points Risk category outside of appetite / tolerance Emerging risk or trend New projects or actions Key trend or environmental change Insight and experience Possible new risk or category of risk Executive strategic discussion point Division Z Input Facilitate Aggregate Add insights Provide support and advice Own Policy & Procedure Output

12 Rare Unlikely Likelihood Possible Likely Almost certain Collaborative design - visualise an output Significant Minor Moderate Major Severe Delivery 1. Delivery category A 2. Delivery category B 3. Delivery category C 4. Delivery category D 5. Delivery category E 8 7 Key changes, movements, and trends: Movements away from target What has changed, new causes, etc. Enablers 6. Governance 7. Knowledge / systems management 8. People / culture 9. Program / project / contracts management 10. Resource management Movements towards target What has changed, new causes, etc. Consequence (Impact) Risk rating: L H Low High M VH Medium Very high x Current risk rating Steady trend x Target risk rating Downward trend Upward trend

13 The important stuff Success factors - Stakeholders CEO/Board buy-in Credible practitioners (executive agenda, facilitate Exec meeting) Agree the purpose simple and achievable promise vs reality! Agree design principles, output & process Allow flexibility, don t mandate anything you don t have to Be realistic about timeframes iterative Clever assignment of risk category owners can help sharing and reduce silos Aim to be part of conversational rhythm of the organisation Help the divisions succeed be part of the solution, take responsibility. 13

14 The important stuff Success factors - Technical Get the context right up front don t proceed until you do Invest in creating a single language, include divisions Invest in capability building don t lob policies, templates and wait Don t buy into general concerns get specific, focus on practical actions The two fundamental questions in risk facilitation: What could cause that to happen? What is at risk? Focus on Current vs. Target and what extra do we need to do (if anything) Remove mitigating controls from Exec & divisional reporting it s generally noise Invest in aggregation, themes, trends generate new information. 14

15 Questions? Contact details Joshua Chalmers

16 Outputs case study 16

17 Outputs case study (cont d) 17

18 Outputs case study (cont d) 18