Successful ERM Program Standards. Definitions of Enterprise Risk Management (ERM)

Transcription

1 1 Successful ERM Program Standards Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager William C. Hord V.P. of Enterprise Risk Management Services September 18, 2016 Solutions Track 3 Definitions of Enterprise Risk Management (ERM) The Risk Management Society (RIMS): Enterprise Risk Management ( ERM ) is a strategic business discipline that supports the achievement of an organization s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio. What is ERM?, [2015] RIMS the risk management society. All rights reserved.

2 Definitions of Enterprise Risk Management (ERM) The Risk Management Association (RMA): Enterprise risk management (ERM) is an organization s enterprise risk competence the ability to understand, control, and articulate the nature and level of risks taken in pursuit of business strategies coupled with accountability for risks taken and activities engaged in, which contributes to increased confidence shown by stakeholders. Enterprise Risk, [2016] The Risk Management Association. All rights reserved. risk/ Definitions of Enterprise Risk Management (ERM) The Committee of Sponsoring Organizations of the Treadway Commission (COSO) : Enterprise risk management is a process, effected by an entity s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. Enterprise Risk Management Integrated Framework, [2004] Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved.

3 Definition of Enterprise Risk Management (ERM) Consensus It is a Process to Achieve: Success effected by the organization s Board of Directors, Management and other Personnel; Strategic business discipline that supports the achievement of an organization s objectives; Risk optimization that integrates risk management across the organization; Risk identification relevant to the organization's objectives and opportunities; Risk assessment in terms of likelihood and magnitude of impact; An appropriate response strategy, Progress monitoring and; Increased confidence by stakeholders. Why is ERM Important? Create the ability to define your risks, apply controls and effectively obtain the necessary information from these to maximize your organization s success; Create an approach that is relevant and specific to your organization which gives you the proper tools necessary to enhance your business decision making processes; Create a baseline for assessing the value of your risk analysis and reactions to risks within levels defined by your organization s risk strategy; Create a baseline for assessing the value of your internal controls and how they relate to your organization s risk strategies; Create additional confidence in the ability to oversee risks and controls throughout the organization and how they impact your organization s strategy; Create additional confidence in your regulators and auditors related to your ability to proactively respond to risks within your organization.

4 ERM Challenges ONYPIX/ISTOCK/THINKSTOCK Board and Executive Buy In; Departmental Buy In; Ownership; Defining Your Risk Strategy; Defining Your Risk Appetite; Defining Your Risk Language; Defining Your Risk Measurement; Prioritizing Process Risks Across the Organization; Identifying and Appropriately Categorizing Risks and Their Impact; Prioritizing Risk Mitigation; Proper Assignment and Follow up of Risk Mitigation; Effective Reporting and; Creating and Maintaining a Risk Culture. 1. Obtain Board of Directors and Executive Management Buy In: 1. Discuss ERM with the Board of Directors and Executive Management; 2. Determine Your ERM Objectives; 3. Determine the Communication Process with the Board of Directors and Executive Management; 4. Determine the Expectations for the Organization as a Whole and; 5. Determine Your Course, Timeframes, Resources and Targets for the Start of Your ERM Program. RAWPIXEL+LTD/ISTOCK/THINKSTOCK

5 2. Define Organizational Roles and Responsibilities: 1. Board of Directors: Primarily accountable for all risks within the organization; 2. CEO: Overall day to day risk management responsibilities are generally delegated to the CEO by the Board; 3. Executive Management: Develop policies and procedures to support the risk process and participate in the risk committee; 4. Departments: Help risk management and the organization to identify, assess, measure, monitor, control, and report risks; 5. Risk Management Leader: Assist in the creation, implementation, and maintenance of the ERM program. Provide necessary reporting to Board, CEO and Executive Management and promote a risk based culture and; 6. Internal Audit: Help monitor and provide independent assurance of the effectiveness of the overall ERM program. 3. Assign a Leader to Oversee the ERM Program: 1. Your Risk Management Leader should have the following competencies: 1. Risk identification; 2. Understand the organization s business; 3. Respected throughout the organization and; 4. Highly effective communicator. 2. Current position at executive level and; ABLUECUP/ISTOCK/THINKSTOCK 3. Ensure resources are available to them to accomplish the organization s objectives.

6 4. Create ERM Committee (Management Group Until Formal Committee Charter): 1. Ensure Key Individual s Involvement on Committee. Your Committee should be made up of individuals within the organization who represent executive management and potentially department management to ensure cross functional risk discussions; 2. Assist in establishing the risk measurement ratings for the organization; 3. Assist in setting ERM objectives; 4. Assist in determining the appropriate reporting process for Board of Directors and Executive Management and; 5. Assist in promoting a risk based culture. ABLUECUP/ISTOCK/THINKSTOCK 5. Create ERM Policy: 1. At minimum your ERM Policy should cover the following areas: 1. Purpose and Objectives for ERM; 2. Definitions; 3. Policy Statement; 4. Roles, Responsibilities, and Authority; 5. Commitment to ERM; 6. Ongoing ERM Oversight and; IVELINRADKOV/ISTOCK/THINKSTOCK 7. Reporting to the Board of Directors.

7 6. Create ERM Charter: 1. At minimum your ERM Charter should cover the following areas: 1. Purpose; 2. Committee Composition; 3. Meetings; 4. Reports; 5. Responsibilities and Duties and; 6. Annual Evaluation. FRENTUSHA/ISTOCK/THINKSTOCK 7. Create Risk Categories and Definitions: 1. The Risk Categories you choose will be the areas of risk you will view all your products and processes against to determine your risks within each one; 2. The Risk Definitions will be the specific definition you establish for each Risk Category to ensure consistency when discussing risk. Example: Strategic Risk: The current and prospective risk to earnings or capital arising from adverse business decisions, improper implementation of decisions, or lack of responsiveness to industry changes. This risk is a function of the compatibility of a credit union s strategic goals, the business strategies developed to achieve those goals, the resources deployed to accomplish these goals, and the quality of implementation. The tangible and intangible resources needed to carry out business strategies include communication channels, operating systems, delivery networks, monitoring systems, and managerial capacities and capabilities. Chapter 1 Examiners Guide NCUA

8 8. Create Risk Likelihood and Impact Ratings: Example: 1. Risk Likelihood represents the possibility that a given event will occur; 2. Risk Impact refers to the extent to which a risk event might impact the organization s Assets and/or Capital. 9. Create Control Rating and Effectiveness: 1. The Control Rating is your assessment of its strength as a control; 2. The Control Effectiveness is your assessment of its effectiveness as a control. Example: Control Rating: Not Implemented = Weak = Weak Moderate = Moderate = Moderate Strong = Strong = No Control Mitigation Least Control The exposure is somewhat mitigated by the control. Partial Control The exposure is partially mitigated by the control. Mainly Controlled The exposure is largely mitigated by the control. Almost Entirely Controlled The exposure is almost completely mitigated by the control. Predominantly Controlled The exposure is extremely well mitigated by the control. Control Effectiveness: Not Implemented = 0% Ineffective = > 0% and < 25% Partially Effective = 25% and < 65% Effective = 65% and < 95% Highly Effective = 95% When these two are combined they represent your Total Control Value to bring down your Gross/Inherent Risk. Once applied you will have your Residual Risk value.

9 10. Risk Appetite: The amount of risk, on a broad level, an entity is willing to accept in pursuit of value. It reflects the entity s risk management philosophy, and in turn influences the entity s culture and operating style. Risk appetite guides resource allocation. Risk appetite [assists the organization] in aligning the organization, people, and processes in [designing the] infrastructure necessary to effectively respond to and monitor risks. OLIVIER LE MOAL/ISTOCK/THINKSTOCK Enterprise Risk Management Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved Defining Your Risk Appetite: Example:

10 11. Risk Assessment: 1. Assemble your team and begin a discussion around the most significant risks associated with your current: 1. Strategic Objectives & Initiatives or; 2. Products or; 3. Business Processes. 2. Create a short list of the perceived significant risks areas and; 3. Start small, possibly less than 10 significant risk areas. GEERATI/ISTOCK/THINKSTOCK 12. Determine Your Inherent/Gross Risk (Likelihood x Impact): 1. Begin to utilize your Risk Categories and Likelihood/Impact ratings across your list of significant risk areas and; 2. Once you have assessed all your significant risk areas prioritize them based upon their Inherent/Gross Risk Score. ALMAGAMI/ISTOCK/THINKSTOCK

11 13. Apply Control Rating and Effectiveness: 1. Begin with your most significant Gross Risk area and; 2. Discuss the various controls currently in place and rate them utilizing your Control Rating and Effectiveness table. ABLUECUP/ISTOCK/THINKSTOCK 14. Missing or Inadequate Existing Controls (Mitigation Action Items): 1. During your Controls discussion you may determine that there are missing and/or inadequate existing controls; 2. Create a Mitigation Action Items Report containing at least the following information: 1. Objective/Product/Process Name the Mitigation Action Item is Tied To; 2. Mitigation Action Item Name; 3. Mitigation Action Item Assigned To; 4. Mitigation Action Item Status; 5. Mitigation Action Item Due Date; 6. Mitigation Action Item Completed Date; 7. Mitigation Action Item Days Past Due Date and; 3DALIA/ISTOCK/THINKSTOCK 8. Mitigation Action Item Comments.

12 15. Reporting Risks and Mitigation Action Items: 1. You can now start reporting the Risks you outlined and how they rank related to: 1. Inherent/Gross Risk; 2. Residual/Net Risk. 2. Your report can also show how these risks rank related to your Risk Categories such as: 1. Compliance; 2. Credit; 3. Interest Rate; 4. Liquidity; 5. Reputation; 6. Strategic; OLIVIER LE MOAL/ISTOCK/THINKSTOCK 7. Transaction, Etc. 3. Your report should also show the status where you are in the process of creating and/or enhancing existing Controls via your Mitigation Action Item Plans. 16. Growing and Maturing Your ERM Program: 1. Start to expand your Risk Assessments to include other: 1. Strategic Objectives; 2. Strategic Initiatives; 3. Products; 4. Business Processes, etc. 2. Continue educating your Board of Directors and Management; 3. Involve more departments and employees in the assessment process. DZMITRY+STANKEVICH/ISTOCK/THINKSTOCK

13 16. Expanding and Maturing Your ERM Program Continued: 4. Review Annually your: 1. ERM Policy; 2. ERM Charter; 3. Risk Appetite. 5. Begin to introduce Departmental: 1. Key Performance Indicators (KPI) and; 2. Key Risk Indicators (KRI). 6. Request Internal Audit to evaluate your: 1. ERM Program; 2. Risks and; 3. Controls. DZMITRY+STANKEVICH/ISTOCK/THINKSTOCK??? QUESTIONS???

14 Session Description Enterprise Risk Management (ERM) programs must be effective. Organization s need to determine, assess and prepare for any risks that may disrupt their goals and objectives. ERM is critical for industry growth in today's fast paced and ever changing risk landscape. Whether the impetus is from your Board, management or regulators there are straightforward principles to a successful ERM program. Do you have robust Board and Management support? Have you defined the roles and responsibilities throughout your organization? Can you understand and articulate your organization s risk appetite and how does that impact your business units? How are you measuring and rating your risk impact, likelihood and the controls to mitigate your risk? Is your policy consistent with the level of risk your organization wants to take? Does your organization understand the importance of a strong ERM program for a company poised for growth? This session will help to outline them and many more, allowing you to start or validate your ERM program structure. Please join us as we provide you with the baseline standards for a successful ERM program. Covered Topics Why is ERM Important Definitions Challenges Board and Management Support Roles and Responsibilities Assignment of a Leader Committee Policy Charter Risk Categories Risk Likelihood and Impact Ratings Control Rating and Effectiveness Risk Appetite Risk Assessments Mitigation Action Reporting Growing and Maturing

15 Speaker s Bio William Bill Hord has over 25 years of experience in executive management within the financial services industry focused in risk management, financial software, lending/collections. He recently spent the last several years as the VP of ERM helping to lead a Midwest credit union as their BSA Officer, Compliance Officer and Security Officer. While there Mr. Hord was responsible for overseeing enterprise risk, business continuity, vendor management, compliance, fraud prevention, lending & new account quality assurance, BSA/AML, emergency response, physical security, bonding/insurance and audit management. Mr. Hord is COSO and Compliance Certified along with being an exciting presenter, engaging the audience for maximum immersion in a given topic. He has consulted with numerous financial institutions across the country helping them to shape and build their risk management programs. He can be reached at: William.Hord@Quantivate.com Quantivate.com