7 Key Trends in Enterprise Risk Management

Transcription

1 7 Key Trends in Enterprise Risk Management John Verver, CPA CA, CISA, CMC Kevin Legere, ACDA

2 Presenters John Verver Consultant and Advisor to ACL Kevin Legere Director of Product Design

3 Agenda Excellence in ERM and Corporate Performance 7 Key Trends in ERM 6 Major Components of Data-Driven ERM Processes 15 Critical Functional Capabilities of ERM Software Q & A

4 Defining ERM Enterprise Risk Management (ERM) is a strategic business discipline that supports the achievement of an organization s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio. ERM represents a significant evolution beyond previous approaches to risk management in that it: 1. Encompasses all areas of organizational exposure to risk (financial, operational, reporting, compliance, governance, strategic, reputational, etc.). 2. Prioritizes and manages those exposures as an interrelated risk portfolio rather than as individual silos. 3. Evaluates the risk portfolio in the context of all significant internal and external environments, systems, circumstances and stakeholders. 4. Recognizes that individual risks across the organization are interrelated and can create a combined exposure that differs from the sum of the individual risks. 5. Provides a structured process for the management of all risks, whether those risks are primarily quantitative or qualitative in nature. 6. Views the effective management of risk as a competitive advantage. 7. Seeks to embed risk management as a component in all critical decisions throughout the organization.

5 What does excellence in ERM look like? ERM can be a systematic and information-driven approach to dealing with the obstacles to organizational success and drive performance excellence Take a phased approach Driven by data Dynamic Continuous Comprehensive Collaborative Forward-looking Action-oriented and time-bound Contextual Highly efficient

6 ERM Capability Model An ongoing journey: How mature are your organization s ERM capabilities?

7 7 Key Trends in ERM

8 Trend #1: Move beyond a Compartmentalized Silo View Achieving common, aligned views of risk contexts From: Difficult to see the big picture Inconsistent and inefficient approaches Separate, unrelated views of risks To: Combined and aggregated views Consistency in risk measurement and processes Early recognition of risk indicators Align KRI s with KPI s

9 Trend #2: Provide New Level of Quantified Insight Objective overview of current state of risks From: Inefficient and cumbersome aggregation processes Mixed apples and oranges Subjectivity and bias Limited value in overviews To: Effective comparison of risks Fact-based risk assessments Quantified risk aggregation Technology and data-driven dashboards

10 Trend #3: Using Big Data and Smart Analytics Timely, fact-driven, forward-looking risk monitoring From: Retrospective, outdated understanding Opinion-based To: Ongoing insights into what is actually happening Identification of critical trends Insights into new risks Leveraging multiple data sources

11 Trend #4: Cost Effective Approach to Internal Controls Knowing which controls are effective and important From: Seeing controls as expensive impediments Uncertainty about control effectiveness Too many controls Missing controls To: Ongoing monitoring of all activities Elimination of unnecessary controls Identification of actual risks and issues More efficient and effective controls

12 Trend #5: Informed Decisions and Smart Risk Management Risk as opportunity not just to be avoided From: Emphasis on risk avoidance Little connection between risk and organizational objectives To: Focus on opportunities Focus on risks that matter Outperforming risk-averse cultures Intelligent, well-managed risk taking

13 Trend #6: Integrate Risk Management into Daily Business Activities Driving risk intelligence throughout the organization From: Risk management is not my job Blindly following processes No context To: Widespread understanding of risks and opportunities Seeing risk and controls in context of organizational objectives Empowerment to take on informed risks

14 Trend #7: Bridge the Gap between Business and Risk Professionals Achieve an integrated aligned approach From: Limited communication between risk management and business Differing priorities and concerns To: Linked understanding Single shared platform Unified risk oversight

15 6 Key Characteristics of Performance Enhancing ERM

16 Characteristic #1: Meaningful, Centralized Risk Identification Knowing a lot more about risks Categorised by type Compared and related Assessed and quantified Context of impact on strategic and corporate objectives Central system supports all 3 Lines of Defense

17 Characteristic #2: Links to Policies, Controls and Processes Putting everything into context Risk and compliance framework established Repository details risks, control objectives, compliance requirements, controls, processes Risks and control objectives linked to each other and to strategic objectives/risks Ownerships and responses determined Single control objectives applied broadly

18 Characteristic #3: Data Analytics and Continuous Monitoring Achieving continuous risk assessment Ongoing risk assessment Data analytics play a key role Multiple data sources Analyzing and monitoring transactions throughout systems Automated questionnaires and surveys Employee hot lines Technology can be the key driver to GRC integration and collaboration and to make sure everyone is following one standardized, optimized process. Big 4 leader of risk management services

19 Characteristic #4: Consistent Enterprise-Wide Approach Standardized and consistent while supporting divergent processes Ability to compare risk apples and oranges Recognize need for consistency to support integrated/aggregated views Quantification supports assessment of different risk categories *With the understanding that one size does not fit all processes.

20 Characteristic #5: Dealing with the Things that Matter Knowing what is happening and likely to happen and then responding Analytic monitoring show what needs doing now Trend and predictive analysis shows what likely will need doing Change processes Fix problems Pre-empt likely problems

21 Characteristic #6: Reporting in the Right Way to the Right People Risk status reports that reflect the context of user Reports that reflect the role/responsibility of the individual Put in the context of overall organizational objectives Dashboards that are immediate, efficient and relevant

22 ERM Process Flow Identify and respond to risks: 1. Create a registry of risks, including both strategic and operational risks. 2. Assess risks and define responses to risks, including assigning ownership. 3. Define control objectives and control processes. 4. Link risks to relevant control objectives and processes. 5. Link related risks to strategic risks and to each other.

23 ERM Process Flow Monitor and continuously assess risks and controls 6. Assess the risk of control weaknesses and failure to comply with policies. 7. Monitor the effectiveness of controls and compliance activities through transaction monitoring. 8. Assess changing risks and identify new risk trends through data analysis. 9. Obtain up-to-date confirmation of the effectiveness of control and compliance activities from owners by means of automated questionnaires and, where appropriate, verification of adherence.

24 ERM Process Flow Manage results and respond 10. Manage the entire process of responding to results and exceptions generated from analytics monitoring and from questionnaires and verifications.

25 ERM Process Flow Report results and update assessments 11.Use the results of monitoring and exception management to produce up-to-date risk assessments. 12.Identify new and changing risks regulations as they occur and update repositories, and control and compliance procedures. 13.Report on the current status of risk management activities from high to low detail levels. 14.Produce dynamic risk assessment dashboards.

26 ERM Process Flow Improve the process 15.Identify duplicative processes and enhance procedures to combine and improve controls and compliance tests wherever appropriate. 16.Provide the ability to integrate regulatory compliance risk management, monitoring and reporting with overall risk management activities.

27 15 Critical Functional Capabilities of ERM software

28 #1 Maintain a comprehensive risk repository Risk repository should be accessible by all stakeholders in a centralized location with access to real-time updates

29 #2 Link risks to strategic objectives Enterprise risk management should be put in the context of an organizations strategic objectives.

30 #3 Map risks to policies, processes and control objectives Mapping risk to policies, processes and control objectives help organizations prioritize resources.

31 #4 Connect to risk management frameworks and regulations Mapping frameworks, standards and regulations to your internal controls to track regulatory compliance.

32 #5 Connect to data from a wide range of sources Tracking key risk and performance indicators to inform the risk assessment and monitor change in risk in real-time.

33 #6 Analyzing massive amounts of data to identify risks and anomalies Being able to analyze 100% of transactional data to detect, prevent and predict risk events give organizational assurance.

34 #7 Libraries of specialized analytics Analytics designed to automate the monitoring of key controls and processes.

35 #8 Data visualization and trend analysis Data visualizations can provide key insights into data and aggregate information in a consumable way for stakeholders.

36 #9 Smart exception monitoring Automating workflow so that the issues get routed and appropriate stakeholders are notified.

37 #10 Smart response management The ability to prioritize, track and assign key remediation activities to ensure that proper measures are taking place.

38 #11 Questionnaires, surveys and attestations Gathering human data from operational teams in order to identify key risk areas.

39 #12 Manage and monitor hotlines Risk and incident hotlines can provide escalation process within the risk management teams.

40 #13 Risk scoring Technology can enable a consistent risk assessment process across the business.

41 #14 Dashboard views of risk monitoring and assessments Real-time dashboards that key stakeholders can use to report and monitor key risk indicators.

42 #15 Integrate specialized risk management systems Embracing the era of open data to ensure that information across the organization can be aggregated and blended in meaningful ways.

43 Questions?

44 For more information contact: John Verver Kevin Legere