Enterprise Risk Management Aligning Risk With Strategy and Performance

Transcription

1 Enterprise Risk Management Aligning Risk With Strategy and Performance Jeff Thomson, CMA, CAE President and CEO Institute of Management Accountants 1

2 Learning Objectives Understand how integrating the COSO Enterprise Risk Management (ERM) Framework into an organization assists in the achievement of their mission and strategic goals. Apply the COSO Framework to overall company governance, strategy setting, business planning, execution, monitoring, and adapting. Evaluate the resiliency and adaptability of your organization, using the COSO Frameworks. 2

3 About COSO > 600,000 professionals Originally formed in 1985, COSO is a joint initiative of five private sector organizations and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management (ERM) internal control and fraud deterrence

4 Mission Mission: To provide thought leadership through the development of comprehensive frameworks and guidance on enterprise risk management, internal control and fraud deterrence designed to improve organizational performance and governance and to reduce the extent of fraud in organizations Fundamental Principle: Good risk management and internal control are necessary for long term success of all organizations

5 Thought Leadership to Improve Your Organization

6 New COSO ERM Framework - Summary Provides greater insight into the role of enterprise risk management when setting and executing strategy. Enhances alignment between performance and enterprise risk management. Accommodates expectations for governance and oversight. Recognizes the globalization of markets and operations and the need to apply a common, albeit tailored, approach across geographies. Presents new ways to view risk to setting and achieving objectives in the context of greater business complexity. Expands reporting to address expectations for greater stakeholder transparency. Accommodates evolving technologies and the growth of data analytics in supporting decision-making. 6

7 Current State of ERM Practices in Business - Getting Better, Still Immature in Strategic Application 7

8 ERM Value Proposition Then Versus Now Risk Mitigation Risk Elimination Value Preservation + Value Creation + Value Optimization + Leveraging Risk to Create Differentiation 8

9 Enterprise Risk Management and Internal Control Different But Connected The document does not replace the 2013 Internal Control Integrated Framework The two frameworks are distinct but complementary Both use a components and principles structure Aspects of internal control common to enterprise risk management are not repeated Some aspects of internal control are developed further in this framework China MOF has commented on this separation 9

10 Relating Frameworks and Business Model (note: COSO ERM Framework revised no cube!!) Internal Control Integrated Framework Deals with alternate risk reduction Enterprise Risk Management Integrated Framework Focuses on Strategic Objectives Deals with alternate risk responses (risk avoidance, acceptance, sharing, and reduction) Contextual Business Model 10

11 Risk Powers Performance Fit for Growth 11

12 Culture, Controls, or Both? 12

13 One branch manager had a teenage daughter with 24 accounts, an adult daughter with 18, a husband with 21, a brother with 14 and a father with 4. A distortion of the sales culture and performance management system pressured employees to sell unwanted or unneeded products to customers and, in some cases, to open unauthorized accounts Source: WSJ and SF Chronicle 13

14 Satellite Technology Improves Detection Mexican homebuilding company, Desarrolladora Homex S.A.B. de C.V., has agreed to settle accounting fraud charges with the Securities and Exchange Commission after it allegedly falsified sales of over 100,000 homes to inflate revenue on its financial statements for three years in a row, claiming to have built homes for which satellite images showed not a trace. 14

15 L3 Technologies Settles $1.6M Revenue Recognition Case January 12, 2017 One of the largest U.S. defense contractors has agreed to pay more than $1.6 million to settle charges of booking millions of dollars in improper revenue that allowed some executives to barely satisfy targets for incentive bonuses, the SEC said on Wednesday. A senior finance official ordered 69 invoices be generated, even though there was never any agreement with the Army on payment for the work, the SEC said. The invoices were never delivered, but L3 recorded the revenue anyway. 15

16 Tone is Critical internal control over financial reporting and disclosure controls and procedures will not be effective at December 31, The improper conduct of the company's former Chief Financial Officer and former Corporate Controller, which resulted in the provision of incorrect information to the Committee and the company's auditors, contributed to the misstatement of results. In addition, as part of this assessment of internal control over financial reporting, the company has determined that the tone at the top of the organization and the performance-based environment at the company, where challenging targets were set and achieving those targets was a key performance expectation, may have been contributing factors resulting in the company's improper revenue recognition. 16

17 Impact on Value May 9 (Reuters) - Online lending platform operator Lending Club Corp said its Chief Executive and Chairman Renaud Laplanche has resigned following an internal review, which revealed a violation of the company's business practices. Shares of the company were down 15.6 percent at $5.99 in premarket trading. The review revealed that loans extended to a single investor did not conform to instructions, with certain employees being aware that the sale did not meet the investor's requirements, the company said on Monday. 17

18 COSO Enterprise Risk Management A Framework Tied To Strategy 18

19 Why Implement Sound ERM Principles Integrating enterprise risk management throughout an organization improves decision-making in governance, strategy, objective-setting, and day-to day operations. It helps to enhance performance by more closely linking strategy and business objectives to both risk and opportunity. The diligence required to integrate enterprise risk management provides an entity with a clear path to creating, preserving, and realizing value. 19

20 Basic Definitions Risk The possibility that events will occur and affect the achievement of strategy and business objectives (or will not occur) Enterprise Risk Management The culture, capabilities, and practices, integrated with strategy and execution, that organizations rely on to manage risk in creating, preserving, and realizing value 20

21 Risk Appetite and Acceptable Variation in Performance Risk Appetite The amount of risk, on a broad level, an organization is willing to accept in pursuit of value Acceptable Variation in Performance The boundaries of acceptable outcomes related to achieving business objectives 21

22 ERM Must Be Linked to Strategy When enterprise risk management and strategy-setting are integrated, an organization is better positioned to understand: How mission, vision, and core values form the initial expression of acceptable types and amount of risk for consideration when setting strategy. The possibility of strategies and business objectives not aligning with the mission, vision, and core values. The types and amount of risk the organization potentially exposes itself to from the strategy that has been chosen. The types and amount of risk to executing its strategy and achieving business objectives. 22

23 Strategy in Context Strategy is put in the context of the company s mission, vision, core values and desired performance along with the risks to success. 23

24 ERM Focuses On Integration Integrates enterprise risk management with other business processes: Governance Processes Strategy Setting Objectives Setting Performance Management Focuses on applying enterprise risk management at various levels of the organization (e.g. entity level, business unit, division) 24

25 Risk Profiles, Risk Appetite and Performance It is up to management to determine their risk appetite relative to their desired level of performance. The 2 issues are interrelated and need to be managed as such 25

26 The New COSO ERM Framework Details! 26

27 The COSO ERM Framework Let s Drill Down More 27

28 Provides a New Document Structure Framework focused on five components Uses focused examples to emphasize key points (> 30) Follows the business model versus an isolated risk management process

29 20 key principles within each of the five components

30 Component 1 Governance & Culture 30

31 Governance & Culture Principles 31

32 Board Independence Is Critical To Effective ERM Practices 32

33 Ten Principles Of Risk Oversight 1 Understanding the company s key drivers of success 6 Encourage dynamic, constructive risk dialogue between management and the board 2 Assess the risk inherent in the strategy 7 Closely monitor the potential risks in the company s culture and its incentive structure 3 Define the role of the full board and its standing committees with regard to risk oversight 8 Monitor critical alignments of strategy, risk, controls compliance incentives and people 4 Consider whether the risk management system is appropriate and sufficiently resourced 9 Consider emerging and interrelated risks: What s around the next corner? 5 Understand and agree with management the types and format of risk information required 10 Periodically assess the risk oversight process in view of the board s oversight objectives 33

34 Real World Example The Tone At The Top But BE Established 34

35 Performance, Culture & Talent Development are all Intertwined Real World Example 35

36 Component 2 Strategy & Objective Setting 36

37 Strategy & Objective Setting Principles 37

38 Real World Example Be Clear About Your Strategy 38

39 Environmental Scans Are Critical 39

40 Understand Your Risk Appetite 40

41 Component 3 - Performance 41

42 Performance Principles 42

43 Develop A Portfolio View Of Risk 43

44 Component 4 Review & Revision 44

45 Review & Revision Principles 45

46 Make Business Performance Reviews and Risk Reviews A Normal Part of Everyday Operations Integrating reviews into business practices: Has the entity performed as expected and achieved its target? What risks are occurring that may be affecting performance? Was the entity taking enough risk to attain its target? Was the estimate of the amount of risk accurate? 46

47 Component 5 Information, Communication & Reporting 47

48 Information, Communication & Reporting Principles 48

49 Find And Use All Available Data Source To Make the Best Decisions 49

50 COSO ERM Framework

51 The Intersection of ERM And Innovation 51

52 Innovation Intents Risk Management/Sensing and Innovating with Intent 52

53 ERM & Innovation Likenesses: Risk Appetite statement and tolerance discussions happen in/should happen in both Innovation and ERM forums ERM and Innovation should both be integrated into the existing business processes, planning, reporting and monitoring not separate activities - to create sustainable value ERM and Innovation need to be inextricable linked to Strategy & Objectives and Execution & Optimization for maximum value 53

54 ERM & Innovation Leverage points: Organizations make money by taking on risk and delivering value. ERM & Innovation should be a joint discussion looking at risks to drive internal and external value. Using ERM as a source, fill your innovation pipeline. Organizations don t have to guess or solicit random ideas. Innovating with strategic intent ERM already should have the C-suite engaged. Aside from risk monitoring, controls and business management, the C-suite has a growth agenda. ERM traditionally tied into Governance and Audit subcommittees. Extend ERM & Innovation discussions with the full Board and specifically the Executive Committee. 54

55 COSO ERM Framework

56 Questions and Discussion 56