Risk Management With an Enterprise (Wide) Focus
|
|
|
- Cornelius Blair
- 5 years ago
- Views:
Transcription
1 Risk Management With an Enterprise (Wide) Focus Date or subtitle August 11,
2 Today s Presenters Jerry Miller, CRCM, CMC, AMLS, CRP Partner jlmiller@wipfli.com 2
3 Risk Management Governance Across an Entire Organization Doing it for Years! 3
4 I. Recognizing Past Risk Management Efforts 1. Basic Risk Management Techniques 2. COSO s Enterprise Risk Management Fitting the Pieces Together II. New Proposed ERM III. ERM Consulting Phased Approach IV. Summary Even a correct decision is wrong when it was taken too late. Lee Iacocca 4
5 I. Recognizing Past Risk Management Efforts 1970s and 1980s Historic View Risk Tolerance COSO 1992 Internal Controls Control Environment COSO ERM COSO 2013 Internal Controls Internal Environment Objective Setting Control Environment COSO 2016 Proposed ERM Changes Risk Governance and Culture Risk Identification & Management Risk Assessment Event Identification Risk Assessment Risk Response Risk Appetite Risk Assessment Risk, Strategy, and Objective Setting Risk Supervision Control Activities Control Activities Control Activities Risk in Execution Risk Monitoring Monitoring Activities Monitoring Monitoring Activities Monitoring ERM Performance Information & Communication Information & Communication Information & Communication Risk information, Communication, and Reporting 5
6 Risk Management Transition Four Basic Risk Management Techniques Steps taken in financial transactions for hundreds of years Regulation implemented emphasis during Great Depression 1970s through 1990s further expanded due to cyclical economic conditions Audit approaches relied more and more on risk assessments Federal & state financial regulators introduced risk-based exam techniques Enterprise Risk Management 2004 COSO in 2004 published Enterprise Risk Management Integrated Framework which provided enhanced and global insights on risk management. It offered guidance on types of risks, risk strategies, and risk appetite. It brought a new vision of risk management into the Board Room Enterprise Risk Management 2016 COSO in May 2016 published Enterprise Risk Management Aligning Risk with Strategy and Performance. It sets out core definitions, components, and principles, and offers direction. 6
7 Internal Control Framework Standards The Committee of Sponsoring Organizations (COSO) of the Treadway Commission issued Internal Control Integrated Framework in 1992 to help businesses and other entities assess and enhance their internal control systems. Sarbanes-Oxley Act of 2002 and similar legislation require public companies to maintain systems of internal control and require management to certify and an independent auditor to attest to the effectiveness of the internal control systems. COSO updated Internal Control Integrated Framework in 2013 and it continues to serve as the broadly accepted standard for satisfying those reporting requirements. NOTE: Internal Control Integrated Framework 2013 and Enterprise Risk Management Aligning Risk with Strategy and Performance are distinct from the other, and provide different focuses neither supersedes the other. HOWEVER, they do overlap, as internal controls are a key component of aligning risk with strategy and performance. 7
8 Risk Management Discussions Early Years 8
9 1. The Basic Risk Management Techniques: Risk Tolerance Risk Management/Identification Risk Supervision Risk Monitoring Enterprise (Wide) Risk Management (ERM) These four focuses served as the primary risk disciplines for the 1970s, 1980s and 1990s: (Examples) Loan Review Risk Ratings Process Asset and Liability Risk Management Business Contingency Planning Bank Secrecy Act Risk Assessment Emergency Response Security Assessment Personnel Development Staffing Analysis Capital Planning 9
10 Basic Risk Management Techniques I. II. Enterprise (Wide) Risk Management (ERM) Risk Tolerance Risk Identification & Management Risk tolerance is a risk management technique that challenges the board of directors and management at each entity to agree on the acceptable levels of each type of risk for that bank. Risk identification is an integral part of risk management techniques; the board of directors, to agree upon the acceptable levels of each type of risk for that institution, must identify how risk occurs, in what forms, and in what processes. III. Risk Supervision Risk supervision is directed through corporate bylaws and resolutions. Board and management committees, management structure, and other elements of organizational structure emanate from the bylaws and board resolutions. IV. Risk Monitoring Through the deliberate introduction and ongoing use of risk monitoring techniques, directors and management can assess how risk supervision techniques are working, whether the right identification processes are in place, and whether proper risk tolerance guidelines have been established. The risk monitoring techniques generally rely on the use of an independent third party to perform a review. Audit coverage, systems reviews, and compliance evaluations are critical to the risk monitoring process. Reviews of insurance coverage, physical premises, disaster recovery planning, and other areas are also aspects of risk monitoring. 10
11 Risk Mantle: Strategies and Focus Points Risk is like fire; if controlled it will help you, but if left uncontrolled, it will rise up and destroy you. Theodore Roosevelt 11
12 Strategic Planning and Risk Management Every Strategic Plan today typically includes Risk Management as a Key Strategic Priority! Strategies Include: Go Hand in Glove! Building the appropriate ERM structure Designating a Chief Risk Officer with appropriate role description Defining the Board s tolerance for risk Embedding risk management into all facets of the company Ensuring appropriate governance structure to oversee risk 12
13 Reflections on the Four Risk Management Techniques Singular focus on type of risk Generally silo oriented, e.g., ALM Limited risk insights by product/service Focused at a middle-management or higher level One objective direction Directors and senior management often left to interpret level, trend, future risk 13
14 2. COSO s Enterprise Risk Management Fitting the Pieces Together COSO in 2004 published Enterprise Risk Management Integrated Framework, which communicated a research project started in
15 What is ERM (2004 definition)? Enterprise Risk Management (ERM) Enterprise risk management deals with risks and opportunities affecting value creation or preservation, defined as follows: Enterprise risk management is: A process, effected by an entity s board of directors, management and other personnel. Applied in strategy setting and across the enterprise. Designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite. Intended to provide reasonable assurance regarding the achievement of entity objectives. 15
16 Enterprise (Wide) Risk Management (ERM) Thinking about risk management, thoughts to consider from others: Risk comes from not knowing what you re doing. Warren Buffet Business Units Risk Categories ERM Approach 2004 Model COSO CUBE 16
17 A. ERM framework Focuses on achieving an entity s objectives: Strategic high-level goals, aligned with and supporting its mission Operations effective and efficient use of its resources Reporting reliability of reporting Compliance compliance with applicable laws and regulations 17
18 B. Enterprise risk management approach: 1. Is a process, ongoing and flowing through an entity. 2. Is effected by people at every level of an organization. 3. Is applied in strategy setting. 4. Is applied across the enterprise, at every level and unit, and includes taking an entity level portfolio view of risk. 5. Is designed to identify potential events that, if they occur, will affect the entity, and to manage risk within its risk appetite. 6. Is able to provide reasonable assurance to an entity s management and board of directors. 7. Is geared to achievement of objectives in one or more separate but overlapping categories. 18
19 C. Enterprise risk management focus encompasses: Aligning risk appetite and strategy Management considers the entity s risk appetite in evaluating strategic alternatives, setting related objectives, and developing mechanisms to manage related risks. Enhancing risk response decisions Enterprise risk management provides the rigor to identify and select among alternative risk responses risk avoidance, reduction, sharing, and acceptance. Reducing operational surprises and losses Entities gain enhanced capability to identify potential events and establish responses, reducing surprises and associated costs or losses. 19
20 C. Enterprise risk management focus encompasses (cont.): Identifying and managing multiple and cross-enterprise risks Every enterprise faces a myriad of risks affecting different parts of the organization. Enterprise risk management facilitates effective response to interrelated impacts, and integrated responses to multiple risks. Seizing opportunities By considering a full range of potential events, management is positioned to identify and proactively realize opportunities. Improving deployment of capital Obtaining robust risk information allows management to effectively assess overall capital needs and enhance capital allocation. 20
21 D. ERM The Process The interrelated components follow the way management runs an enterprise and are integrated with the management process. Internal Environment The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate. Objective Setting Before management can identify potential objectives, management must have in place a process to set objectives that align with the entity s mission and are consistent with its risk appetite. Event Identification Internal and external events affecting achievement of an entity s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management s strategy or objective-setting processes. 21
22 D. ERM The Process (cont.) Risk Assessment Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis. Risk Response Management selects risk responses avoiding, accepting, reducing, or sharing risk developing a set of actions to align risks with the entity s risk tolerances and risk appetite. Control Activities Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out. Information and Communication Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity. Monitoring The entirety of enterprise risk management is monitored and modifications are made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both. 22
23 E. ERM Reminders: Events and Opportunities Events can have negative impact, positive impact, or both. Events with a negative impact represent risks, which can prevent value creation or erode existing value. Events with positive impact may offset negative impacts or represent opportunities. Opportunities are the possibility that an event will occur and positively affect the achievement of objectives, supporting value creation or preservation. Management channels opportunities back to its strategy or objective-setting processes, formulating plans to seize the opportunities. 23
24 F. ERM function generally encompasses coordinated activities Recognition or identification of risks Ranking or evaluation of risks Responding to significant risks Accept/tolerate Address and treat Transfer Terminate Resourcing/providing controls Detailing reaction planning Monitoring risk performance Reporting risk performance Assessing/reviewing the risk management framework 24
25 Example 1. Risk governance framework 2. Scope of the risk governance framework 3. Roles and responsibilities 4. Strategic plan Enterprise (Wide) Risk Management (ERM) OCC s Guidance, NR : Heightened Standards for Large Financial Institutions (9-2-14) 5. Risk appetite statement 6. Concentration and front line unit risk limits 7. Risk appetite review, monitoring, and communication processes 8. Compensation and performance management programs 9. Processes governing risk limit breaches 10. Concentration risk management 11. Risk data aggregation and reporting 12. Relationship of risk appetite statement, concentration risk limits, and front line unit risk limits to other processes 13. Talent management processes 25
26 Example Small, Less Complex Does ERM Still Work? Small, less complex institutions Still have risks. Worry about threats. Have strategies. Want to take advantage of opportunities. Size is not a driver of usage of ERM practices. Methodology or approach will vary depending on business model. ERM basic concepts still apply. 26
27 Post Great Recession Lessons Need Further ERM Enhancements 27
28 ERM Revisions: Enterprise (Wide) Risk Management (ERM) II. Proposed Enhanced ERM 2016 Focus on the ERM management role when setting and executing strategies. Enhance alignment between performance and ERM. Accommodate expectations for governance and oversight. Recognize economic globalization and the importance of applying a common, yet tailored approach across different geographies. Present new approaches to setting and achieving objectives in the realm of greater business complexity. Expand reporting to address stakeholders expectations for greater transparency. Accommodate evolving technologies and growth of data analytics in supporting decision making. 28
29 COSO s May 2016 release of Enterprise Risk Management Aligning Risk with Strategy and Performance for public comment due September Minimal changes are anticipated from the draft; it focuses on five principles. Risk Governance and Culture Risk, Strategy, and Objective-Setting Risk in Execution Risk Information, Communication, and Reporting Monitoring Enterprise Risk Management Performance Enhanced ERM framework approach will assist directors in managing risk in an ongoing format. It offers greater transparency for stakeholders. 29
30 Source: COSO s May 2016 release of Enterprise Risk Management Aligning Risk with Strategy and Performance 30
31 1. Mission, Vision, and Core Values Define an organization and how it wishes to conduct business. Mission: Details the entity s core purpose, which underscores why it exists and what it wants to achieve Vision: Details the entity s hopes and goals for its future plans or what it aspires to achieve over time. Core Values: Set out the entity s beliefs and ideals about what is good/bad and acceptable/unacceptable, which may influence the behavior of the entity. 31
32 2. Aligning Strategies and Objectives Should align or support an entity s mission, vision, and core values Assess how the chosen strategy may impact risk profile Determine risks related to governance and operating models, legal structure, management Include control points. 32
33 3. Enhanced Performance Risks are associated in achieving performance benchmarks finding a balance. Relationship between risk and performance is seldom linear. Incremental changes in performance do not always equal change in risk. Enhancing performance is balancing risk capacity, risk profile, and risk appetite to achieve desired results. 33
34 Source: COSO s May 2016 release of Enterprise Risk Management Aligning Risk with Strategy and Performance 34
35 Risk Governance and Culture 1. Exercises Board Risk Oversight The board of directors provides oversight of the strategy and carries out risk governance responsibilities to support management in achieving strategy and business objectives. 2. Establishes Governance and Operating Model The organization establishes governance and operating structures in the pursuit of strategy and business objectives. 3. Defines Desired Organizational Behaviors The organization defines the desired behaviors that characterize the entity s core values and attitudes toward risk. 4. Demonstrates Commitment to Integrity and Ethics The organization demonstrates a commitment to integrity and ethical values. 5. Enforces Accountability The organization holds individuals at all levels accountable for enterprise risk management, and holds itself accountable for providing standards and guidance. 6. Attracts, Develops, and Retains Talented Individuals The organization is committed to building human capital in alignment with the strategy and business objectives. 35
36 Risk, Strategy, and Objective Setting 7. Considers Risk and Business Context The organization considers potential effects of business context on risk profile. 8. Defines Risk Appetite The organization defines risk appetite in the context of creating, preserving, and realizing value. 9. Evaluates Alternative Strategies The organization evaluates alternative strategies and impact on risk profile. 10.Considers Risk while Establishing Business Objectives The organization considers risk while establishing the business objectives at various levels that align and support strategy. 11.Defines Acceptable Variation in Performance 36
37 Risk in Execution 12.Identifies Risk in Execution The organization identifies risk in execution that impacts the achievement of business objectives. 13.Assesses Severity of Risk The organization assesses the severity of risk. 14.Prioritizes Risks The organization prioritizes risks as a basis for selecting responses to risks. 15.Identifies and Selects Risk Responses The organization identifies and selects risk responses. 16.Assesses Risk in Execution The organization assesses operating performance results and considers risk. 17.Develops Portfolio View The organization develops and evaluates a portfolio view of risk. 37
38 Risk Information, Communication, and Reporting 18.Uses Relevant Information The organization uses information that supports enterprise risk management. 19.Leverages Information Systems The organization leverages the entity s information systems to support enterprise risk management. 20.Communicates Risk Information The organization uses communication channels to support enterprise risk management. 21.Reports on Risk, Culture, and Performance The organization reports on risk, culture, and performance at multiple levels of and across the entity. 38
39 Monitoring Enterprise Risk Management Performance 22.Monitoring Substantial Change The organization identifies and assesses internal and external changes that may substantially impact strategy and business objectives. 23.Monitors Enterprise Risk Management The organization monitors enterprise risk management performance. 39
40 IV. ERM Consulting Phased Approach Phase 1 Reflections Historical perspectives Interviews Data analysis Peer analysis Timeline Phase 2 Assessing ERM as of date ERM framework evaluation Objectives and goals Strategies and biz model Acceptable assumptions Training for everyone Phase3 Kick-start process Implement/enhance ERM Initiating reporting Initial department reporting Phase 4 Checkup/Adjustments Validate results Assess accuracy Control checks Set ERM calendar Reflects 2004 ERM Current Approach 40
41 Phase I A Phased Approach to ERM Development and Usage Reflections is the analysis of the organization s current risk posture as of start date of project. It consists of data analysis, documentation reviews, and discussions centering on the perceived and actual risk culture that is currently in place. Input is provided by directors, senior management, and other staff, if deemed applicable. This phase also requires a period of time perspective to ascertain risk management effectiveness. 41
42 Phase I PROCESS COLLATERAL ASSOCIATES HOURS FEES Review of Current Information Prepared by financial institutions strategic plan, governance documents including board and management committee structures, risk policies, board reports operational and product risk assessments, examinations and external and internal audit reports. Survey Interviews DELIVERABLE: High-level Dashboard of Current Risk Environment and Narrative With Suggested Next Steps Surveys for board, senior management, business units Risk Governance Standards Questionnaire to use as guide Dashboard is customized to client, utilizing a simple Excel/Qlikview dashboard. Narrative would be similar to that which Wipfli prepares for the monitoring risk assessments to prepare three- year examination plans 42
43 Phase I Onsite Meetings Individual Discussions Staff Feedback Survey Directors X X X X Officers X X X X Selected Staff X X X ---- Wipfli Staff X X X X 43
44 Phase I Request Letter Wipfli provides initial data requests; onsite meeting. Discuss data availability and timing; refine dateline. Phase I-Data Analysis Data is analyzed by Wipfli staff; follow-up requests if required. Summarize initial results and insights. Phase I Discuss Next Steps Management/Wipfli meeting is held to discuss findings/next steps. Finalize materials as mid-point Phase I documentation. Phase I Feedback Wipfli prepares/hands off surveys. Management data feedback is received/recorded. 44
45 Phase I Data Requests Data Analysis Data Testing and Comparison Assess current status. Create inventory of what exists in terms of governance pieces. Refine requests and seek additional guidance. Segment resources and references. Look at details of corporate governance. Ascertain control points. Separate each entity to assess alone. Look for similarities vs. differences. Review independent assessments and reports. Look for repeat items. Assess for trends. Project future risks. 45
46 Phase 2 A Phased Approach to ERM Development and Usage Using Phase I deliverables as guidance, perform the next steps. Focus on Creating/Enhancing ERM Program. Consulting on next steps to address Phase I findings Match strategies, business model, and risk appetite This Phase is a the bulk of the ERM engagement. NOTE: If no identifiable risk management program or process is in place, Phase I and Phase II may be performed together. 46
47 Phase 2 PROCESS COLLATERAL ASSOCIATES HOURS FEES Prep of the Overall Risk Assessment* utilizing the ten risks of financial institutions as a baseline for the assessment Word Document Risk assessment utilizing ratings for Inherent Risk, Controls/Procedures and Residual Risks Policy* preparation and/or review Interviews with senior management and staff regarding high level human resource view and driven Risk Culture Assessment* to determine FI readiness Chief Risk Officer (CRO) designee aid in determining if CRO is necessary; interview candidates qualifications Word Templates for Charter, Risk Policy Survey using GPS or similar tool being developed by SAS Job Description* Template Deliverables are marked with *. Deliverables to be presented to Board of Directors for final approval 47
48 Phase 2 PROCESS COLLATERAL ASSOCIATES HOURS FEES Committee Structure* Based on information received in Phase I Development Consultation Preparation of Risk Appetite Statement* Based on information received in Phase I (Strategic Plan/Surveys/Interview) Tolerances, Key Risk Indicators and Dashboard* consultation or preparation Policy* preparation and/or review Chief Risk Officer (CRO) Designee aid in determining if CRO is necessary; interview candidates qualifications Templates and samples available but are individually determined Based on information received in Phase I (Policies and Risk Assessment) Dashboard (Excel or Qlikview) Templates can be provided Word Templates for Charter, Risk Policy Job Description* Template Deliverables are marked with *. Deliverables to be presented to Board of Directors for final approval 48
49 Phase 2 Enterprise Risk Posture Establish level of commitment Board Of Directors Executive Management Officers Managers Approve governance tools Assess performance and accountability Implement and maintain policies, procedures, and controls Provide daily enterprise oversight Nurture awareness Staff and Third-Party Relationships Follow process and directives Report areas of concern 49
50 Phase 2 Enterprise General Risk Management Components Board of Directors Strategic Planning Board Governance Policy Development Organizational Oversight Human Resources Management Change Management Mergers and Acquisitions Reporting and Analysis Training Board Of Directors 50
51 Phase 2 Enterprise General Risk Management Components Management Developed Delivery Systems Products and Services Defined Controls and Processes Reporting Systems Quality Assurance Controls Training Talent Development Plan Executive Management Officers Managers 51
52 Phase 2 Enterprise General Risk Management Components Staff/ Business Units and Third- Party Vendors Performance Goals Products/Services Documentation and Guides Supporting Infrastructure Training Self-Monitoring Staff and Third-Party Relationships 52
53 Phase 2 A Sample Action Plan Ref. Focus Area Priority Assigned 1. Formal ERM Policy with sections to include: I. Statement of need and definition II. Statement of purpose III. General objective IV. Specific goals V. Risk management formal program framework VI. Policy elements A. Board of Directors responsibilities B. Risk management staff duties, responsibilities, and accountabilities i. Chief Risk Officer and staff ii. ERM Committee iii. Senior management duties and responsibilities 53
54 Phase 2 Ref. Focus Area Priority Assigned C. ERM components (governance, risk categories, and compliance) i. Governance ii. iii. Risk categories Compliance D. Risk tolerance guidelines E. Risk management techniques F. Risk treatment G. Implementation of the Enterprise-wide Risk Management (ERM) Plan H. Mechanisms for risk identification I. Risk supervision tools J. Risk management s ongoing responsibilities K. Risk control L. Independent review/audit M. Training N. Reporting O. Recordkeeping requirements 54
55 Phase 2 Ref. Focus Area Priority Assigned Appendix Items: Appendix A: Enterprise Risk Management (ERM) Committee Charter Appendix B: Chief Risk Officer Job Description Appendix C: Risk Category Listing and Definitions 2 ERM Program and Related Implementing Procedures including: I. Details of procedures, processes, and if applicable,forms to implement ERM Policy II. Procedures to address new risk, new delivery channels, new products/services, and change III. Guidance on modeling risks and risk impact ERM within the organization IV. Detailed lines of reporting and accountability for ERM, including reporting direction V. Guidance on utilization of the three lines of defense to ascertain the viability and accuracy of risk management VI. Documented risk management controls VII. Adoption of a risk appetite (tolerance) menu by department/functional area, and as appropriate, by products/services 55
56 Phase 2 Ref. Focus Area Priority Assigned 3 Adoption of Risk Appetite Statement and Risk Tolerance Parameters 4 Annual calendar that addresses various events including: I. ERM Committee meeting dates II. III. IV. Annual review of ERM governance documents and charter Review of risk assessments by functional area/ departments Quarterly Risk Report to the Board V. Training 5 ERM Departmental/Functional Area Risk Monitoring I. Calendar II. Risk questionnaires 56
57 Phase 2 Ref. Focus Area Priority Assigned 6 Draft training program 7 Regulatory agency package including I. Overview of institution s ERM program II. Specific supporting details relevant to examination timeframe III. Communication considerations on ERM-follow-up IV. Responding to regulatory requests or concerns NOTE: It is important to devote sufficient time to identify and list strategies, objects, create a realistic risk appetite profile, and then detail sets of risk tolerance parameters. 57
58 Phase 2 Key Risk Indicators (KRI) Relevant Characteristics Source: Developing Key Risk Indicators to Strengthen Enterprise Risk Management, COSO,
59 KRI Linkages Enterprise (Wide) Risk Management (ERM) Phase 2 59
60 KRI Linkages Enterprise (Wide) Risk Management (ERM) Phase 2 60
61 Phase 2 61
62 Phase 3 A Phased Approach to ERM Development and Usage Phase III can be broken down into two parts: 1. Integration and Culture 2. Governance and Accountability Kick Start Program Implement and guide client Facilitate ERM Program Evolution Components including risk assessments, testing, new and old products and services assessments. 62
63 Phase 3 PROCESS COLLATERAL ASSOCIATES HOURS FEES Train departments and/or business unit staff. Perform sample test monitoring to assess risk controls and locations/mitigation procedures. Develop strategic planning integration and tracking; prepare for first year full integration. Initiate periodic reporting requirements. Develop and refine Board reporting packages. Design/purchase risk management monitoring tools for utilization for annual or more roll-up process. Tailor to organization and sample test. Providing training materials; deliver training Risk control questionnaires completed through testing and interview processes Create and finalize strategic planning integration Management reporting package, design and refine Creation and refinement Periodic, no less than annual, enterprise risk roll up process initiating and refinement 63
64 Phase 3 Putting it into Perspective Governance Current Assessment Risk Assessment Profile Enterprise Risk Management Program Benchmarking Process and Controls Focus 64
65 Phase 3 ERM Focus Refinements and Enhancements Handoff Reviews Analysis Summary Analysis Summary 1. Department or functional area is completed. 2. Senior management signs off as completed. 1.Review, analysis, and comparisons are performed by CRO and Wipfli 2.Initial risk profile reports are assembled, profiled, and trends posted 3.Next steps plan is created. Handoff 1.Provide information to Risk Committee for discussion, review, and action 2.Focus on potential problematic areas 1.Create detailed action plans to address next steps 2.Establish 12-month calendar for committee 3.Review/adopt final risk level report, ratings, and trends analysis 65
66 Phase 3 METHODOLOGY OVERVIEW 66
67 Phase 3 Enterprise Risk Posture Establish level of commitment Board Of Directors Executive Management Officers Managers Approve governance tools Assess performance and accountability Implement and maintain policies, procedures, and controls Provide daily enterprise oversight Nurture awareness Staff and Third-Party Relationships Follow process and directives Report areas of concern 67
68 Phase 4 Checkup/adjustments Validate results Assess accuracy Control checks Set ERM calendar 68
69 Critical Divisions of Risk Defense Enterprise-Wide Risk General Risk Focus Points Three Lines of Defense to Address Risk Elements 1. First Line of Risk Defense Business Units Front-Line Customer Product/Service Channels 2. Second Line of Defense Risk Management Team Compliance Management 3. Third Line of Defense Internal Audit External Audit 69
70 Board of Directors Senior Management 1 st Line of Defense Three Lines of Defense 2 nd Line of Defense 3 rd Line of Defense Management controls Internal controls and related procedures Responsible: Individual department/ functional area Central oversight areas, e.g., IT, finance, legal Risk assessments Monitoring compliance with regulations, policies Responsible: Division senior officers Risk Officer Compliance Officer and team members Independent testing of entire process Validation of risk analysis and reporting Responsible: Internal Audit External Audit or independent reviewer 70
71 Mileposts to Measure Progress Enterprise Risk Management (ERM) Program Assessing Today s ERM Program Phase 1 Reflections Phase 2 Assessing Current ERM Phase 3 Refine and Enhance ERM Phase 4 Implement ERM Changes Future Considerations Minimal 1 to 2 months Average 3 to 5 months 4 to 6 months 6 to 12 months Estimated Timeframes 4 to 6 months 1 to 2 months 5 to 7 months 3 to 4 months Open Open Only those who will risk going too far can possibly find out how far one can go. T.S. Eliot 71
72 V. Summary Factors Challenge for management is to determine how much uncertainty (and therefore how much risk) the organization is prepared to accept. Critical that management recognize that effective ERM allows a balance of exposure against opportunity. Board commitment that ultimate goal is to enhance an organization s capabilities to create, preserve, and ultimately realize value. Goal ERM recognized as the culture, capabilities, and practices integrated with strategy-setting and its execution, that organizations rely on to manage risk in creating, preserving, and realizing value. 72
73 Launching ERM in Your Institution 1. Discuss and seek Board support and resource commitment 2. Develop a program with your senior management team detailing: A. Organizational business model and mission statement B. Objectives C. Goals D. Strengths, weaknesses, opportunities, and threats E. Strategies F. Tactics to address risks G. Benchmarks for progress assessment 3. Integrate ERM program and initiate 4. Assess risk levels, tactics per strategies, and overall performance 5. Fine-tune 73
74 Future Examiner Questions? Questions Has the institution or organization established a formal risk governance framework? a. Is the formal risk governance framework adhered to? Has there been a clear establishment of delegations of authority by Board to executive management and/or management committees? a. Have risk levels been established for material activities? Was the framework designed by an independent risk management function and approved by the Board? Does an independent risk management function review and update governance framework at least annually? Yes/No/N A 74
75 Future Examiner Questions? (cont.) Questions Does the risk governance framework cover the following risks: a. Credit, b. Interest Rate, c. Liquidity, d. Price, e. Operational, f. Compliance, g. Strategic, and h. Reputation Does the risk governance framework include three distinct functions: a. Front office or front line units, b. Independent risk management, and c. Internal audit? Note: These three focuses are referred to as 3 lines of defense. Yes/No/N A 75
76 Future Considerations Risk Profile Illustration Considering risk in establishing business objectives and setting performance targets Source: Appendix COSO ERM Public Exposure, page
77 Questions? The End Thank You! 77