The Role of the Chief Risk Office and the Board s Role in Risk Oversight

Similar documents
Enterprise Risk Management at

Sample Corporate Risk Management Policy

Gleim CIA Review Updates to Part Edition, 1st Printing June 2018

Role of Board of Directors in Risk Management. CPA Erick Audi Thursday, 15 th November 2018

Guidance Note: Corporate Governance - Board of Directors. January Ce document est aussi disponible en français.

TORONTO COMMUNITY HOUSING CORPORATION CHARTER OF THE BOARD OF DIRECTORS

Risk Management at Statistics Canada

Sample Strategy and Value Oversight Policy

Gleim CPA Review Updates to Business Environment and Concepts 2018 Edition, 1st Printing March 2018

Active Essex Risk Management Strategy

Catching Fraud During a Recession Through Superior Internal Controls. FICPA s 25 th Annual Accounting Show. J. Stephen Nouss September 29, 2010

Enterprise Risk Management

Agenda. Enterprise Risk Management Defined. The Intersection of Enterprise-wide Risk Management (ERM) and Business Continuity Management (BCM)

THE ENTERPRISE AND RISK MANAGEMENT POLICY

Strengthening Your Enterprise Risk Management Process

Internal Auditors and Enterprise Risk Management (ERM) ICPAK Presentation

Enterprise Risk Management (ERM) How Internal Audit Can Add Great Value

Introduction to ERM (Enterprise Risk Management)

ORGANIZATIONAL INTEGRITY & AUDIT SERVICES ANNUAL WORK PLAN DEVELOPMENT RISK ASSESSMENT FACTORS

20 Years in the Making. Meet the New ICIF: Revisions to COSO s Internal Control Integrated Framework. Dr. Sandra Richtermeyer COSO Board Member

UNF Finance and Audit Committee January 15, 2013

CSR / Sustainability Governance and Management Assessment By Coro Strandberg President, Strandberg Consulting

Enterprise Risk Management Defined and Explained

Board of Directors Performance Self-Evaluation Questionnaire

RISK AND COMPENSATION COMMITTEE TERMS OF REFERENCE

Corporate Governance Statement

QUILTER PLC ( Quilter or the Company ) BOARD RISK COMMITTEE TERMS OF REFERENCE

Treasury s Leading Role in Enterprise Risk Management

Statement on Risk Management and Internal Control

Current State of Enterprise Risk Oversight:

Canadian Insurance Accountants Association

Guidance Note: Corporate Governance - Audit Committee. January Ce document est aussi disponible en français.

Board of Directors Mandate VIA Rail Canada Inc.

Enterprise Risk Management Demystified

MPAC BOARD OF DIRECTORS MANDATE

From Backyard Business to Public Company

DeVry Approach to ERM

The COSO Risk Framework: A reference for internal control? Transition from COSO I to COSO II

Performance Risk Management Jonathan Blackmore, May 2013

Enterprise Risk Management: Developing a Model for Organizational Success. White Paper

Sub-section Content. 1 Preliminaries - Post title: Head of Group Risk - Reports to: CRO - Division: xxx - Department: xxx - Location: xxx

DIRECTOR TRAINING AND QUALIFICATIONS: SAMPLE SELF-ASSESSMENT TOOL February 2015

Three Lines of Defense vs. Five Lines of Assurance

The challenges of and solutions for implementing enterprise risk management

Integrating Corporate Compliance Programs into Enterprise Risk Management Programs

Mandate of the Board of Directors

BOARD CHARTER OF THE AUDIT AND RISK OVERSIGHT COMMITTEE

MAGNA INTERNATIONAL INC. BOARD CHARTER

ENTERPRISE RISK MANAGEMENT

Introductions. Enterprise Risk Management. Thinus Nienaber. Why are You here? Where are You coming from? Where are You going?

COSO ERM: Integrating with Strategy and Performance. Michael Parkinson

Certificate in Enterprise Risk Management

AUDIT COMMITTEE CHARTER APRIL 30, 2018

GRM OVERSEAS LIMITED RISK MANAGEMENT POLICY

Quality Assurance and Improvement Program

From Dictionary.com. Risk: Exposure to the chance of injury or loss; a hazard or dangerous chance

Corporate Governance Statement

Establishing Enterprise Risk Management in

Audit, Risk and Compliance Committee Terms of Reference. Atlas Mara Limited. (The "COMPANY") Amendments approved by the Board on 22 March 2016

Can HR Evolve Faster? What's in Its Way? - and

Assessment of the Design Effectiveness of Entity Level Controls. Office of the Chief Audit Executive

MAGNA INTERNATIONAL INC. BOARD CHARTER

Audit Committee Reporting: Trends and Best Practices. Claudio de los Rios CPA, CA, Wolters Kluwer November 1, 2016

Risk Management in the 21 st Century Ameren Business Risk Management

Road map for. March 19, Enterprise Risk Management USI Insurance Services National, Inc. All rights reserved.

Enterprise Risk Management. Focus on the Future June 2017

Strengthening Control and integrity: A Checklist for government Managers

The Gym Group plc. (the Company ) Audit and Risk Committee - Terms of Reference. Adopted by the board on 14 October 2015 (conditional on Admission)

Enterprise Risk Management

Introduction. The Assessment consists of:

IFC Corporate Governance Progression Matrix for Listed Companies. (Integrating Environmental, Social, and Governance Issues)

IRM s Professional Standards in Risk Management PART 1 Consultation: Functional Standards

Corporate Governance Statement

Risk Management in Istat: from the project to the process

Director Training and Qualifications

The COSO Approach to Enterprise Risk Management

Chapter 3 Workers Compensation Board: Governance and Long-term Sustainability

ISO INTERNATIONAL STANDARD. Risk management Principles and guidelines. Management du risque Principes et lignes directrices

CORPORATE GOVERNANCE STATEMENT

Enterprise Risk Management

Compliance, Internal Audit, and Risk Management: What do they look like at a Managed Care Plan?

FEDERAL HOME LOAN BANK OF INDIANAPOLIS CHARTER FOR THE AUDIT COMMITTEE

CORPORATE GOVERNANCE STATEMENT

2012 CliftonLarsonAllen LLP. A Practical & Tactical Approach to. Management (ERM) Cooperatives (NSAC) Jennifer Leary, Partner National Risk Management

Abu Dhabi Commercial Bank PJSC Code of Corporate Governance

Lya Villasuso OECD Corporate Affairs Division Response ed to: RE: Corporate Governance and the Financial Crises

AUDIT AND RISK COMMITTEE CHARTER

All expenses are inclusive of taxes. Please note there may be occasions whereby there is a delay in posting an expense due to timing of travel.

APM Risk SiG Conference 26 th October 2006 Reporting risks to the board

TOR NAME Responsible Owner Effective date Technology Strategy Committee (TSC) Terms of Reference (TOR) College Board

CGEIT Certification Job Practice

RE: Internal Control Integrated Framework: Guidance on Monitoring Internal Control Systems Discussion Document

Guidance Note: Corporate Governance - Audit Committee. March Ce document est aussi disponible en français.

A Practical Approach to Enterprise Risk Management

International Finance Corporation

GOVERNANCE AND HUMAN RESOURCES COMMITTEE TERMS OF REFERENCE

AUDIT REPORT NOVEMBER

Report on the Current State of Enterprise Risk Oversight

HYDRO ONE LIMITED CORPORATE GOVERNANCE GUIDELINES

EY Center for Board Matters. Leading practices for audit committees

Transcription:

The Canadian Society of Corporate Secretaries 16th Annual Corporate Governance Conference Banff Springs Hotel Banff, AB August 24 27, 2014 The Role of the Chief Risk Office and the Board s Role in Risk Oversight John Fraser Senior Vice President, Internal Audit & former Chief Risk Officer Hydro One Network Inc. August 25, 2014

Objectives of this Session Provide some background on Enterprise Risk Management, how it evolved and why it is now a hot topic for board rooms Introduce the core fundamentals of Enterprise Risk Management, what it is, some of the tools and how to explain it to executive management and the board Explain the Chief Risk Officer s role and how it interacts with the board or a board sub-committee Address the board s role in risk oversight increased expectations and what to do

How Well is Risk Understood (2006)? In 2006, 60% of directors felt they had an understanding of their company s risks, while executives say that only 18% of directors understand their company s risks. Source: KPMG in Raising the Bar (April 2008) quoting the February 2006 McKinsey Quarterly Survey

How Well is Risk Understood (2013)? In 2013, directors surveyed said their knowledge of the risks that the company faced was as follows: 15% of directors said they have a complete understanding 54% said they had a good understanding, and 29% said they had a limited or no understanding McKinsey & Company in Improving board governance via an on line survey in April 2013 of 772 corporate directors, 34 % of whom were chairs. 22% were public companies78% were private companies.

What is risk management s contribution to your organization? 47% said It is essential for adding value to our overall business 34% said It can occasionally help us improve the way we do business 15% said Its contribution to our overall organization is only marginal 4% said It does not contribute to our overall business Source: Based on a December 2012 survey by the Economist Intelligence Unit and published by KPMG in 2013 in Expectations of Risk Management Outpacing Capabilities It s Time for Action

Some of the Challenges of Implementing ERM The Business Case: Regulatory or Effectiveness? Culture change Agreeing Risk Criteria (Appetite / Tolerances etc.) Staffing: who should lead, skills, workshops, how much data to analyse Level of detail (quantitative and/or qualitative) Software needs and selection

Benchmarking ERM Source: Current State of Enterprise Risk Oversight 5 th Edition (June 2014) AICPA & NCSU

Benchmarking ERM con: 2 1 3 4 Source: Current State of Enterprise Risk Oversight 5 th Edition (June 2014) AICPA & NCSU

Benchmarking ERM con: 1 2 Source: Current State of Enterprise Risk Oversight 5 th Edition (June 2014) AICPA & NCSU

Benchmarking ERM con: 2009 2013 Companies with a designated Chief Risk Officer 18 31 Financials with a designated Chief Risk Officer 53 Separate Risk Committees 22 43 Risk Inventories kept at an enterprise level all 20 37 Risk Inventories kept at an enterprise level Large Co s 72 Risk Inventories kept at an enterprise level Public Co s 66 Risk Inventories kept at an enterprise level Financials 44 Source: Current State of Enterprise Risk Oversight 5 th Edition (June 2014) AICPA & NCSU

Integrating a Risk Framework into the Business 1. ERM Policy and Framework 2. Accountabilities (and the Chief Risk Officer role) 3. Risk Criteria (and appetite / tolerances) 4. Risk Identification (and the use of Risk Workshops) 5. Corporate Risk Profile 6. Business Planning

ERM Policy and Framework

ERM Policy and Framework ERM Policy: ERM provides uniform processes to identify, measure, treat and report on key risks. This is the umbrella policy under which all other risk policies fall. Key principles include: portfolios of ALL types of risks, integrated with strategic and business planning, annual risk assessments, everyone s responsibility. Key accountabilities: Board and/or board committee, the Chief Executive Officer, Chief Financial Officer, Management and Chief Risk Officer. Key definitions, e.g. of risk. ERM Framework: Establishes the basic process for all risk assessments etc.

Accountabilities (and the Chief Risk Officer Role)

Accountabilities in ERM BOARD (OR COMMITTEE) CORPORATE RISK PROFILE POLICY & FRAMEWORK EXECUTIVE MANAGEMENT RISK CRITERIA (TOLERANCES) RISK PROFILES & BUSINESS PLANS MANAGE RISKS, $$ LINE MANAGEMENT

The Chief Risk Officer Role Alternative models, banks versus others Decision maker, facilitator or opinionator? Centralized/holistic view of the organization Some issues: Who does the CRO work for? Management or the Board? Is the CRO a facilitator or a policeman? Additional reading: Managing the Multiple Dimensions of Risk Part II: The Office of Risk Management by Anette Mikes, Assistant Professor, and Robert S. Kaplan, Baker Foundation Professor, Harvard Business School (2011) Becoming the Lamp Bearer: The Emerging Role of the Chief Risk Officer by Anette Mikes, Assistant Professor, Harvard Business School (2009) Enterprise Risk management From Incentives to Controls by James Lam, John Wiley & Sons (2003)

Accountabilities of Risk versus Internal Audit Core internal audit roles Roles with safeguards Audit should not undertake Source: The Role of Internal Auditing in Enterprise-wide Risk Management Institute of Internal Auditors (2004) Internal Auditing s Role in Risk Management Institute of Internal Auditors (2011)

The Chief Risk Officer and the Board Touch-points between the Board and the CRO: The ERM Policy and Framework approval Strategic Planning & Business Planning (Objectives) Risk Criteria (e.g. impact scale, tolerances etc) Formal Risk Profiles Frequent Updates Educator (e.g. best practices, benchmarking) Advisor (e.g. hot topics, emerging risks) Whistleblower (not recommended) To be determined (e.g. risk workshops)

Risk Criteria and appetite/tolerances

Appetite/Tolerances/Criteria Term < 2004 2004+ 2009 2011 Appetite Tolerance Criteria Attitude Used Interchangeably COSO COSO ISO 31000 Canada* Canada* Canada* Canada* * = Implementation guide to CAN/CSA-ISO 31000, Risk management Principles and guidelines (2011)

Use of Risk Criteria (Appetite & Tolerances etc.) In order to run effective risk workshops In order to create a common understanding of risks by the leadership team, the board and managers Criteria for Business Planning / Resource Allocation prioritization Risk is the effect of uncertainty on objectives ISO 31000

Risk Criteria* Include: the nature and types of causes and consequences that can occur and how they will be measured; how likelihood will be defined; the timeframe(s) of the likelihood and / or consequence(s); how the level of risk is to be determined; the views of stakeholders; the level at which risk becomes acceptable or tolerable; and whether combinations of multiple risks should be taken into account and, if so, how and which combinations should be considered. * = Per ISO 31000 Note: Underlines for emphasis by John Fraser

Turning Strategy into Risk Criteria (inc. Tolerances) Strategic Planning Business Objectives How will we measure success for each Business Objective? How are we going to achieve our overall Corporate aims?? What 6-10 objectives do we want to factor in to decision-making? Key Performance Indicators What is our attitude toward failure for each Key Performance Indicator?? Risk Criteria (inc. Tolerances)

Example of Risk Tolerances (Criteria) Business Objectives Event Impact Description 5 Worst Case 4 Severe Risk Tolerances 3 Major 2 Moderate 1 Minor Financial Net Income shortfall (after tax, in one year) $>150M shortfall $75-150M shortfall $25-75M shortfall $5-25M shortfall <$5M shortfall Reputation Negative Media Attention; Opinion leader and Public Criticism National media attention; opinion leaders/customers nearly unanimous in public criticism Provincial media attention; most opinion leaders/customers publicly critical Significant local attention; Several opinion leaders/ customers publicly critical Credible letter(s) to Ministry of Energy, to Premier, to Chair of OEB, or to Minister of Environment, that require action Letter(s) to Senior Management Customer /Reliability Outages on the Hydro One system One of: >100,000 Customers Distribution or >1000MW Tx for more than 7 days One of: 40k-100k Customers Dx or 400-1000MW Tx for 4-7 days One of: 10k-40k Customers Dx or 100-400MW Tx for 2-4 days One of: 1k-10k Customers Dx or 10-100MW Tx for 4-24 Hrs One of: <1000 Customers Dx or <10MW Tx for <4 Hrs Intolerable Tolerable

Actual Risk Criteria Impact Scale Intolerable Tolerable

Risk Identification and Evaluation The use of Risk Workshops The use of Interviews The use of Surveys

Risk Workshops Risk Management is a contact sport. Diana Del Bel Belluz Risk Workshops are Facilitated for: Major Projects, e.g. construction, Information Technology, Mergers & Acquisitions Major Types of Risks, e.g. environmental Lines of Business, e.g. for business planning Executive Team Board of Directors Note: Risk workshops will not work well in a dysfunctional organization

Risk Interviews Based on the Strategic Objectives List of major external events since the last Risk Profile Prior list of top risks: to capture trends and ratings Listings of all possible existing and evolving risks Identification and input of organizational context and learning's Recognizes difference styles of communicating (e.g. blue sky versus detailed)

Corporate Risk Profiles

Corporate Risk Profiles Purpose and Benefits Frequency, e.g. semi-annual (?) Based on: Interviews & Databases (e.g. risk workshop results) Trends & Emerging risks (e.g. media scans) Reviewed by: Executive (Risk) Committee Board or delegated board committee Input to Strategic & Business Planning (and internal audit plan)

Roll Up of Risk Interviews/Workshops Human Resources (R=2.6 / C=2.1) Volatile Work Schedule (R=2.5 / C=2.1) Commercial Culture (R=3.4 / C=2.1) Retaining Expertise R=2.6 / R=2.0) Labour Agreements R=2.4 / C=2.0) Training (R=2.5 / C=2.8) Competition (R=2.7 / C=2.5) Demographics (R=3.5 / C=2.3) Skills (R=2.5 / C=2.6) Budget (R=2.8 / C=2.6)

Risk Profile Top Ten Format Risk Source March 2001 Dec. 2001 Risk Trend Cost Reduction Very High Very High Regulatory Uncertainty High Very High Initial Public Offering High High Customer Relationships High Medium Human Resources Medium Medium Safety High Medium Note: Each risk category is explained with a half page analysis outlining the sources of the risk and the mitigants in place or planned.

Heat Map Topic Risk description Likelihood Impact A Compensation Dissatisfaction leads to higher turnover B Recognition If unrecognized leads to errors and less focus C Downsizing More overtime so staff leave for better work/life balance D Demographics Changing demographics leads to more turnover Possible Unlikely Likely Almost Certain Moderate Minor Moderate Moderate Source: COSO 2004 Application Techniques Page 47

Risk Map

Business Planning

Business Planning: Making Choices Based on Value Vehicles?? Intolerable Risks House?? Medical?? + Highest Risk Mitigation Value for money Travel??

Summary - The Basic Approach to ERM Establish a policy and procedure (framework based on ISO 31000) Identify a champion and resources Agree on Risk Criteria e.g. an impact scale Create conversations via workshops and interviews Prepare semi-annual risk profiles (based on interviews and/or risk workshops) Incorporate risk prioritization into business planning Include risk assessments in capital projects Monitor and improve

Questions?

Additional Key ERM Techniques

Target Risk Attitude safety 5 "Target" Attitude technical innovation 4 3 customer 2 1 employee relationship 0 environment corporate image revenue growth shareholder return

Risk Attitude Comparison safety 5 "Target" Attitude technical innovation 4 3 customer Business development dept Operations dept Accounting dept 2 1 employee relationship 0 environment corporate image revenue growth shareholder return

Black Swans

Velocity Voting Scale Interval between the initiating event or condition (which is the point at which the risk becomes inevitable) and its peak impact on our business objectives

Resilience Voting Scale Ability to detect occurrence of initiating event/condition, and secure/deploy resources (plans, organizations, testing) Availability of or access to resources required to cope with or mitigate the business impact (people, knowledge, liquidity, equipment, etc)

Additional Readings

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback