Enterprise Risk Management (ERM) - Impact of 2017 COSO ERM Model

Transcription

1 Enterprise Risk Management (ERM) - Impact of 2017 COSO ERM Model Institute of Internal Auditors, Detroit Chapter Meeting February 2019

2 With you today Sarah Ann Moore Director Internal Audit and Enterprise Risk, KPMG

3 Agenda The context for the COSO update Connecting strategy, risk and performance Summary of key COSO 2017 changes Impact on current ERM practices Closing thoughts Keys to long-term ERM success Questions

4 The context for the COSO update

5 The context for the COSO update If you aren t constantly assessing strategy and risk, and adjusting as you go, there s no way you re keeping pace as a business or a board. - Public Company Director, KPMG s Global Boardroom Insights 5

6 The context for the COSO update Change is moving faster than ever Regulations and Policies Designed to protect the way the world worked in the 20 th century, regulations have not evolved to today s world. Customer Behavior Behavior is changing due to demographic shifts and economic conditions are rippling through sectors. Business Models & Strategies Those developed in the Industrial Age are being challenged by companies that leverage technology and agile business models to meet the demands of today s marketplace and customers. Exponential Technologies Fortune 500 companies are struggling to adopt and implement technology enablers to meet changing demand. 6

7 The context for the COSO update Macrotrends are changing behaviors Large demographic shifts are driving change in customer preferences, expectations, and spending behavior across all industries 1 in 3 adults will be a millennial by 2020 By 2030, the world s 65+ population will double to 1 billion Boomers are entering retirement, and the aging population is expected to drive a large increase in healthcare expenditure 60% of the world s population is expected to live in cities by 2030 Changing household makeups and an increase in the number of single households is impacting the way consumers spend and shop 165% increase in number of single households since 70s Millennials are entering their prime spending years, and will have a significant impact on the market and purchasing behavior and preferences Urbanization increases consumer demand for alternative channels for purchasing all products, including oral care products and services impacting people s preferences around products, convenience, and how they go about purchasing 7

8 The context for the COSO update Technology is the great accelerator Technology is changing people s behavior Digital path to purchase Enhanced customer experience 72 % Percent of U.S. adults own a smartphone, and the average consumer checks their phone every six minutes Technology is enabling new business models Tech giants Startups Customization The Internet of Things 8

9 The context for the COSO update CEO s aware and concerned Source: KPMG CEO Study Setting the course for growth: CEO Perspectives 9

10 The context for the COSO update Why ERM and where does COSO fit in? By evaluating the threats and opportunities to strategy and objectives, ERM closely links risk, strategy, and performance, enabling management to make more informed decisions Governance Governance Strategy Operational Performance Adhere to better practice principles of corporate governance (COSO ERM Framework, NACD core principles etc.) Meet rating agency expectations Federal sentencing guidelines principles - foundation for effective corporate compliance Strategy Provide a competitive advantage versus industry peers Link strategic planning objectives to enterprise risks to align key priorities with senior management Operational Performance Provide greater transparency on events that impact desired performance Enhance ability to meet goals through targeted action and clear accountability Supports an organization-wide Risk-Aware culture Better leverage of supporting systems and tools to optimize operational effectiveness 10

11 The context for the COSO update Connecting strategy and risk Innovating and pursuing opportunity while balancing upside and downside Financial Performance Targets Markets Risks to Strategy Acquisitions Pricing New markets New products Business model Growth Profitability Liquidity Leverage Propositions and Brands Clients and Channels Operating model cost Core Business Processes Operational & Technology Infrastructure Organizational Structure, Governance, Risk & Controls People and Culture Measures and Incentives External Risks Internal Risks Natural hazards Commodity prices Geopolitical events Cyber attack Regulatory violations Quality issues Technology and data events Resource shortages Focus of the majority of today s ERM programs is value preservation, not value creation 11

12 Summary of key COSO 2017 changes

13 Summary of key COSO 2017 changes COSO 2017 headlines The new COSO ERM Framework titled Enterprise Risk Management Integrating with Strategy and Performance is an update to the 2004 publication (Enterprise Risk Management Integrated Framework). The update: addresses advancements made in ERM practices since 2004 acknowledges the evolving business environment and the need for enhanced ERM strategies and processes highlights the need to consider risk to strategy (strategy-setting process and strategy execution) Source: Enterprise Risk Management Integrating with Strategy and Performance, Executive Summary, COSO, (2017) 13

14 Summary of key COSO 2017 changes COSO 2017 headlines The updated document: Describes the five new Framework components and 20 underlying principles. It also includes a graphic that illustrates how these components and principles interact Provides an updated definition of enterprise risk management Highlights the role of ERM in not just preserving value, but also creating value. It elevates discussion of strategy and link to performance management Links ERM and decision-making activities Encourages the integration of ERM as part of the management of an organization as opposed to a siloed activity Examines how organization culture can influence the effectiveness of ERM Enhances the concepts of risk appetite and tolerance Uncertainty that matters. [Risk is] the possibility that events will occur and affect the achievement of strategy and business objectives. [Enterprise Risk Management is] the culture, capabilities, and practices, integrated with strategy setting and performance, that organizations rely on to manage risk in creating, preserving and realizing value. Source: Enterprise Risk Management Integrating Strategy with Performance, June

15 Summary of key COSO 2017 changes Link to the COSO's 2013 Internal Control Integrated Framework The new ERM Framework and the Internal Control Framework complement each other, with neither superseding the other The updated ERM Framework describes areas that go beyond internal control; however, the Internal Control Integrated Framework remains a viable and suitable framework for designing, implementing, and conducting and assessing the effectiveness of internal control and for reporting, as required in some jurisdictions Source: Enterprise Risk Management Integrating with Strategy and Performance, Frequently Asked Questions, COSO, (2017) 15

16 Impact on current ERM practices

17 Impact on current ERM practices ERM framework components Risk Strategy and Appetite Risk Governance Risk Culture Risk Assessment and Measurement Risk Management and Monitoring Risk Reporting and Insights Data and Technology Linkage to corporate strategy Board Oversight and Committee Knowledge and Understanding Risk Definition and taxonomy Risk Mitigation, Response and Action Plans Risk Reporting Data Quality and Governance Risk Strategy Company Risk Operating Structure Belief and Commitment Risk Identification Testing, Validation and Management s Assurance Business/ Operational Requirements Risk Analytics Risk Appetite and Tolerance Risk Guidance Competencies and Context Assessment and Prioritization Monitoring Board and Senior Management Requirements Technology Enablement Roles and Responsibilities Action and Determination Quantitative Methods and Modeling Risk in Projects/ Initiatives External Requirements Decision Support Risk Aggregation, Correlation and Concentration Scenario Analysis and Stress Testing Capital and Performance Management 17

18 Impact on current ERM practices Common areas of current ERM focus ERM framework areas where we see companies investing to connect better connect risk and strategy and to drive ERM into the business: Risk governance - Guiding principles and rationale for ERM - Plain English risk program policy/ strategy - Clear roles and responsibilities that support engagement (linked to 3LOD) Risk appetite framework and tools - Risk aligned to the strategy process - Risk appetite articulated and risk thresholds/ guardrails built into reporting and decision making - Scenario analysis and risk interconnectivity (acknowledging that risks events do not occur in silos) Risk culture - Understanding risk culture and its impact on decision making across the organization - Targeted risk communication, awareness and training - Risk linked to performance management processes 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative 18

19 Impact on current ERM practices Risk governance 3LOD Three lines of defense model: IA is a 3 rd line function sufficient independence for objective oversight of risk management ERM is primarily a 2 nd line function - some activities in the 1 st line or in the 3 rd line Assurance Providers Standard Setters Business Owners 3rd LINE OF DEFENSE 2nd LINE OF DEFENSE 1st LINE OF DEFENSE Risk Governance RISK PROCESS AND CONTENT Monitoring RISK PROCESS Accountability RISK CONTENT Accountability Assurance Providers Standard Setters Business Owners 19

20 Impact on current ERM practices Risk governance 3LOD 1st and 2nd line relationships can change based on maturity factors: extent of 1st line skills and experience recent issues or losses regulatory attention other strategic change/ risk factors (i.e. off-shoring, restructuring, acquiring new businesses) Entirely Centralised 2nd line, 1 st line is self sufficient, little proximity Partner from center. Potential for advice model Aligned agency, on the ground to drive Distributed, dedicated team, great proximity, coach. 2nd line Oversight of risk 1st line are Experienced practitioners self-sufficient 2nd line provides advice, training, consultancy 1st line Management of risk Typical activities: Proposal of risk appetite & risk policies Monitoring adherence to risk limits Reviewing and monitoring specific risk policies Portfolio monitoring and review Risk approval of transactions within specified limits and mandates Cascade of board approved risk limits into specific limits to business activities. Assurance and thematic review Teaching, training, coaching 20

21 Impact on current ERM practices Risk appetite framework and tools Risk appetite How much risk is the company willing to accept in pursuit of value and growth? Risk-taking capacity What is the maximum risk that the company can possibly take, given appetite, linked to available capital or equity, liquid assets, borrowing capacity, resources? Target risk profile Given the risk appetite and capacity, what should the company s risk profile look like, considering business objectives and external perceptions? Actual risk profile What does the company s risk profile look like given the current state of risk strategies and plans? 21

22 Impact on current ERM practices Risk appetite framework and tools Risk tolerance/limit Type Measure Limit Risk category Risk type Interest Rate Default Inflation Credit Credit Counterparty Asset Quality BU Minimum financial strength Credit rating Avg. credit rating Aged debt report %> 30 days A- A 20% Financial Risk Type Measure Limit Business plan Risk appetite Operational Risk People Risk People Technology Procurement Business Continuity People Turnover Conduct Training Number of resources Resigning in a year Instances of misconduct Training sessions attended X or X% X X per year Contracts Reserving Type Measure Limit Catastrophe Concentration Catastrophe Wind Quake 1 in 100 year peak peril 1 in 250 year peak peril $X $X All Perils In X years Lower of $X 22

23 Impact on current ERM practices Risk appetite framework and tools 23

24 Impact on current ERM practices Risk culture what is below the surface? 24

25 Impact on current ERM practices Risk culture - conceptual framework 25

26 Closing thoughts

27 Closing thoughts Keys to long-term ERM success Future-focused ERM content Single view of risk appetite Tailored, proportionate ERM process Efficient and aligned governance, risk, and compliance activities Achieving a successful ERM program requires a holistic and integrated approach to managing risk, and can be accomplished through the following, as highlighted in our latest ERM thought leadership piece. Enterprise risk management: Protecting and enhancing value 27

28 Questions?

29 Thank you Sarah Ann Moore, Director Internal Audit and Enterprise Risk, KPMG Tel:

30 kpmg.com/socialmedia Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates. KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity, and is in all respects subject to our client and engagement acceptance procedures as well as the negotiation, agreement, and execution of a specific engagement letter or contract. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. The KPMG name and logo are registered trademarks or trademarks of KPMG International KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative