Next-generation enterprise risk management

Transcription

1 Next-generation enterprise risk management Advancing strategy and performance in light of the COSO 2017 refresh Heading into the beginning of the year, the EY Center for Board Matters published the Top priorities for US boards in 2017, which highlighted the importance of seizing opportunities while enhancing risk management as a key board priority. In particular, we emphasized the need to apply a more balanced, agile and integrated approach to enterprise risk management in order to sustain and performance. The September 2017 release of the new COSO publication, Enterprise Risk Management Integrating with Strategy and Performance, which is an update of their 2004 ERM framework, supports this expanded approach to ERM. The COSO update addresses the evolution of ERM and the need for organizations to improve their approach in managing risk to meet the demands of an evolving business environment. It additionally highlights the importance of considering risk in both the strategy-setting process and in driving performance. The updated COSO Framework highlights the importance of integrating ERM with the strategies and performance objectives of an organization. This update: Provides greater insight into the value of ERM when setting and carrying out strategy Enhances alignment between business performance and ERM to improve the setting of performance targets and understanding the impact of risk on performance Accommodates expectations for governance and oversight Recognizes the globalization of markets and operations, and the need to apply a consistent and tailored approach across geographies Presents new ways to leverage risk information in setting objectives and monitoring developments in the context of greater business complexity Expands reporting to address expectations for greater stakeholder transparency Promotes evolving technologies and the use of data and analytics in supporting decision-making Sets out core definitions, components and principles for all levels of management involved in designing, implementing and conducting ERM practices

2 Limitations of conventional ERM Most companies ERM programs operate with a compliance and informational focus and result in a highly detailed catalog of wideranging risks that exist within the organization, ranging from the nominal to the potentially catastrophic. Oftentimes, historical ERM processes have run independently and have not been integrated into the cadence of an organization s strategy-setting and performance management processes, sometimes resulting in mismanaged risks. While the traditional compliance-based ERM approach is good for identifying and managing preventable risks, a company s strategic risks or external risks, such as cybersecurity, require a different approach based on open and explicit risk discussions. Many organizations apply a wide-ranging risk identification process rather than first considering the risks embedded in their business strategies. This may lead to some organizations failing to understand how megatrends are presenting risks to already established business models. The board s role in ERM COSO defines ERM as The culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value and emphasizes that organizations are most successful when they leverage the consideration of culture, strategy and business objectives in risk management. The framework is organized into five revised components and several underlying principles that overlay the business processes of the organization. Enterprise risk management component * Governance and culture Governance and culture together form a basis for all other components of enterprise risk management. Governance sets the entity s tone, reinforcing the importance of enterprise risk management, and establishing oversight responsibilities for it. Culture is reflected in decision-making. Strategy and objective setting ERM is integrated into the entity s strategic plan through the process of setting strategy and business objectives. With an understanding of business context, the organization can gain insight into internal and external factors and their effect on risk. An organization sets its risk appetite in conjunction with strategy setting. The business objectives allow strategy to be put into practice and shape the entity s day-to-day operations and priorities. Performance An organization identifies and assesses risks that may affect an entity s ability to achieve its strategy and business objectives. It then prioritizes risks according to their severity and consideration of the entity s risk appetite. The organization then selects risk responses and monitors performance for change. In this way, it develops a portfolio view of the amount of risk assumed in the pursuit of its strategy and entity-level business objectives. Review and revision By reviewing ERM capabilities and practices, and the entity s performance relative to its targets, an organization can consider how well the ERM capabilities and practices have increased value over time and will continue to drive value in light of substantial changes. Information, communication and reporting Communication is the continual, iterative process of obtaining information and sharing it throughout the entity. Management uses relevant information from both internal and external sources to support enterprise risk management. The organization leverages information systems to capture, process, and manage data and information. By using information that applies to all components, the organization reports on risk, culture and performance. Board risk oversight responsibilities Assess appropriateness of strategy, and risk inherent in the strategy Define board risk governance role and structure Oversee alignment of performance and risk taking to balance short- and long-term strategy achievement Understand how risks are monitored Set expectations for integration of ERM into business management processes Discuss and understand risk appetite and alignment with expectations Require management to demonstrate understanding of risk capacity and ability to withstand large, unexpected events Review strategy against risk profile Set expectations for risk reporting including risk appetite Understand risk assessment process Understand most significant risks and response strategies Understand scenarios that could alter risk profile Ask about manifesting risks Challenge management to demonstrate suitability and functionality of ERM process Identify information required to execute board oversight Access internal and external information for oversight Obtain independent assessment of management perceptions and assumptions * COSO s definition of the five components of the framework as published in Enterprise Risk Management Integrating with Strategy and Performance, September November

3 What is next-generation ERM? The big step in ERM lies in shifting from primarily enterprise risk monitoring to risk-enabled performance management it effectively expands ERM from a protective risk management to a protect and grow mindset. We call this evolving discipline next-generation ERM. It adds a critical layer to the conventional approach by putting a focus on the need to embed and better integrate strategy and performance risk considerations into existing ERM processes. The future of ERM will call for a shift to viewing risks along the lines of key uncertainties that drive variability of business results (such as customer acceptance of new channels, technological capabilities, and cybersecurity breaches) and aligning risk management with the entirety of the business. By doing so, organizations can reduce performance variability and enhance an organization s resiliency and its ability to anticipate and respond to the ever-evolving dynamic risk landscape. A robust ERM approach starts with organizational purpose and performance objectives as the foundation of risk identification. ERM programs need to not only analyze the risks to executing strategy, but must test the viability and longevity of the strategy itself. There is little value in seeking to mitigate the risks around executing strategy if the organization does not stress test the strategy against key external risks. EY s recent Governance, Risk and Compliance Survey indicates that organizations need to think about, manage and respond to risk differently to better drive performance. Next-generation ERM practices focus on advancing an organization s strategic thinking and identifying and assessing the risks that impact business strategy. Organizations should also evaluate areas where it should embrace taking risk, and aggressively seize the upside on taking calculated risks. This requires transforming the way an organization views and capitalizes on risk we call this building a risk-aware organization. In addition to advancing their strategic thinking, organizations should optimize their functions and processes, and embed and execute solutions that help them respond and manage risk as a core aspect of their business. Organizations should also evaluate areas where it should embrace taking risk, and aggressively seize the upside on taking calculated risks. EY s next-generation ERM framework is based on the following three components: Advance: To achieve performance goals, organizations must advance their strategic thinking by: 1) identifying and assessing the risks that impact their business strategy and 2) responding to those risks applying three categories strategic, preventable and external. This enables organizations to expand their focus from the risks they can control to include the ones they cannot or need to balance in order to better drive performance. Optimize: To efficiently and effectively respond to risk, organizations must optimize their functions and processes. This is driven by: 1) an operating model with clear ownership and accountability across the three lines of defense; 2) alignment of the right talent and skill sets to that model; and 3) designing processes to govern the execution of risk activities. This results in the structure and mechanisms necessary to facilitate coordination, communication and reporting throughout the enterprise. Embed: Once the functions and processes are properly in place, organizations can more easily embed and execute solutions that help them respond and manage risk as a core aspect of their business. These solutions, designed based on the three categories above, enable the organization to prevent, balance or limit the impact of risks. Leveraging enablers such as technology and digital solutions (such as automation and analytics), organizations can support and sustain these solutions while driving efficiencies and enhancing their risk management practices. As ERM is evolving, so too is risk reporting How the board oversees which opportunities and risks are avoided or taken and how risks are mitigated is critical to not only minimizing financial and compliance-related risks but also in long-term value creation. Effective ERM reporting enables the board to fulfill several of its key risk-oversight obligations. Heat maps or catalogs of risk with little interpretation of their effects on the organization s performance and strategic objectives can compromise the board s work on risk management on several fronts, especially as it relates to identifying and addressing critical enterprise risks and emerging risks. Risk reporting under next-generation ERM seeks to use, analyze, summarize and contextualize the information that comes out of the traditional ERM process, all with the aim of providing management and boards with more clear information that can assist in the oversight of risk, strategy and performance. It eliminates the noise from the long and complex list of risks in the conventional ERM heat map and provides clearer analysis of the nature and impact of uncertainties that affect business results and strategic plans. November

4 Under this new approach, risks are not identified and assessed using a conventional, relativistic rating scale. They are assessed specifically for their potential effects on key strategic goals in question so its relative potential effects are clear. With next-generation ERM, the composite risk to business objectives is made explicit, providing critical context for management decisions and oversight. This contextualized assessment can also be used to better assess how much actual performance could vary from expectations, providing insights the board needs to discern if management is focused on the right priorities and risks. The illustrative dashboard report below highlights how risk reporting is evolving to give boards line-of-sight into the individual risk indicators that management has determined pose the greatest threat to the strategic objectives. The board can then better perform its oversight role more effectively than with conventional ERM reporting. This presentation of risks can significantly facilitate the understanding, assessment and treatment of key strategic risks, facilitating productive discussions of the topic between boards and executives. Boards have greater visibility into the tangible value linked to risk management efforts and also line-of-sight into who within management is accountable for each risk. The board can use this discussion to help make certain that management is focused on the correct risks and risk exposure levels are better monitored and integrated into decision processes. To further facilitate discussions around risks, leading organizations are also focused on enhancing their risk analysis through data analytics. Through better linkages between risk and performance, the ERM process can help provide forward-looking risk insights and predictive indicators, which will allow boards to have better oversight of emerging risks and strategic pivot points. Illustrative consolidated risk dashboard ERM report 2017.H1 Risk range Goal Target Downside Upside Priority Key indicators Organic 12% by % 13% High YOY revenue (existing products) Revenue from new product launches Revenues from new customer sales Cash flow 5% EBITDA 4% EBITDA 7% EBITDA Low Labor cost increase Gross margin % increase Non-labor SG&A % increase Brand #1 or #2 by market share < #2 in 1+ core markets #1 in all core markets Medium Customer loyalty index % change in net promoter scores Net increase in social media subscribers Operational excellence 1.5 asset turnover ratio 1.3 ATR 1.7 ATR Medium Defect rate % Production asset downtime Critical IT systems availability Employee engagement scores Talent transformation #1 employer in industry < #2 employer #1 employer High Labor mix (traditional, virtual, bots) Turnover rate Training hours per FTE Digital and IT transformation 20% process automation by 2020 < 10% process automation > 25% process automation High Processes using robotics or AI % data on cloud Legacy IT system requirements November

5 Conclusion By applying an ERM approach that both protects the company and enhances its ability to grow, boards can better recognize which risks differentially impact business outcomes. By doing so, organizations can improve how those risks are managed in order to best protect the business, enhance performance and drive value creation. As a result, board members can develop a clearer context for overseeing management s risk priorities and mitigation plans. They also can enhance their own ability to provide for a more appropriate balance between seizing the upside of calculated risks while also focusing on mitigating those risks that exceed a company s risk tolerance. Such an approach also can bolster investor confidence in both management and the board. Questions for the board to consider Is the company s risk-management framework aligned with the organization s strategy to better enable performance and inform decision-making? Does the organization s ERM practices incorporate forward-looking insights and use of data analytics to determine trends and predictive indicators? Has management clearly articulated the aggregate risk to achieving its strategic goals and properly applied the organization s risk tolerance to determine risk-management priorities? Are the company s ERM processes integrated with existing business processes to drive value and better inform decision-making? EY Assurance Tax Transactions Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com. About the EY Center for Board Matters Effective corporate governance is an important element in building a better working world. The EY Center for Board Matters supports boards, committees and directors in their oversight role by providing content, insights and education to help them address complex boardroom issues. Using our professional competencies, relationships and proprietary corporate governance database, we are able to identify trends and emerging governance issues. This allows us to deliver timely and balanced insights, data-rich content, and practical tools and analysis for directors, institutional investors and other governance stakeholders EYGM Limited. All Rights Reserved EYG no Gbl CSG no ED None This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice. November