Enterprise Risk Management Defined and Explained Council of Engineering and Scientific Society Executives ACCESSE16 July 27, 2016 Paul Klein Managing Director Not-for-Profit Atlantic Coast Market Territory Business Advisory Services Leader
Defining risk Threats The probability of damage, injury, liability, loss, or other negative consequence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action. Opportunities The lost prospects of achieving positive outcomes due to conservative management that relies on eliminating potential negative consequences through avoidance. 2
Evolution of risk management Traditionally, risk management focused on minimizing insurable risks due to accidental loss Risk management evolved to include other risk transfer and risk mitigation strategies Enterprise risk management further elaborates this in the context of threats to achieving strategic goals and opportunities to advance the mission 3
What is ERM? a process, effected by an entity s board of directors, management and other personnel, applied in a strategy setting across the enterprise, designed to identify potential events that may affect the entity, and to manage risk to be within its risk appetite, providing reasonable assurance regarding the achievement of entity objectives. - Source: COSO ERM Integrated Framework, Executive Summary, September 2004 4
Differences between Enterprise and Internal Audit risk assessments Internal Audit Risk Assessment Focus on internal, controllable risks Risks viewed in the context of vulnerabilities Risk managed through controls that reduce/eliminate risk Evaluation of risk owned by internal auditor Enterprise Risk Assessment Focus on internal and external risks Risks viewed in the context of organizational strategy Risk managed through a broader variety of techniques Evaluation of risk owned by everyone 5
ERM objectives Provide increased visibility to the most significant risks impacting the institution Provide a platform for broad discussion and evaluation of appropriate levels of risk-taking consistent with risk tolerances Focus management s risk management efforts by identifying and reporting emerging risks that could jeopardize the institution s mission and strategy Serve as a foundation for an on-going risk monitoring process Provide the leadership team with increased visibility to the most significant risks to the institution 6
ERM scope Strategic risks that may impact the institution s ability to achieve its strategic priorities and fulfill its mission Financial risks that may affect stewardship and accountability for organizational assets Business, operational, program risks Regulatory compliance Reputational risks Information technology risk Emergency preparedness 7
Current state of ERM ERM processes at many institutions are still developing For-profits are further along in their ERM efforts than NFPs, partly due to regulatory requirements and stockholder demand for greater value Most organizations need to place a stronger focus on strategic risks While Boards are recognizing their risk oversight responsibilities, the level of oversight still varies greatly 8
Sample NFP Risk Universe Strategy and Initiatives: Vision and Direction Planning and Execution Measurement and Monitoring Organizational Structure Restructuring and Alignment Innovation Brand and Reputation Partnerships and Collaborations: Integration Alliances and Partnerships Communication: Policy and advocacy Crisis Communications Employee Communication Media Communications Market Dynamics: Competition Demand Socio-Political Strategic Operations Program Service & Delivery Membership model Supplier / Vendor Management Contract Commitment Procurement Infrastructure and Assets Project Planning and Management Construction and Maintenance People: Culture Recruiting and Retention Development and Performance Measurement Succession Planning Compensation and Benefits Information Technology: Security/Access Availability/Continuity Application Development Data Integrity IT Project Management Network Planning Hazards: Natural Events Terrorism and Malicious Events Disaster Response Safety Governance: Board Performance Tone at the Top Control Environment Social Responsibility Policies and Procedures Code of Conduct : Ethics Fraud Legal: Contracts Liability IP Infringement Compliance Regulatory compliance: Labor Practices - EEOC Environment - EPA Data Protection and Privacy Health and Safety EH&S Financial Liquidity and Credit: Income diversification Debt Management Credit and Collections (posttransaction) Insurance Healthcare costs Accounting External Reporting and Disclosure Internal Reporting Tax: Tax Strategy and Planning Reputational Image and Branding: Public Relations Brand perception Media Stakeholder Relations: Member Relevance Donor Communication Constituent Expectations 9
Participation in the ERM process Board of Directors Oversee the ERM program Set the tone for organizational risk appetite Review the risks identified by management Endorse management s assessment of risks Review effectiveness of risk mitigation efforts Monitor compliance with risk mitigation policies and procedures as well as changes in the risk environment 10
Participation in the ERM process Key questions the Board should be asking How often are we refreshing our assessment of top risks? Who is accountable for results? How are we monitoring and managing the top risks? What progress are we making to further mitigate top risks? Do we have responses prepared for extreme events (the black swans )? 11
Participation in the ERM process Management Implement and manage ERM processes Align ERM program to strategic goals and objectives Set tone for staff Identify and prioritize risks Establish risk responses and mitigation practices Report to the Board 12
High level ERM process Risk Response ERM Strategy and Framework Ongoing Communication, Reporting, and Monitoring Action Planning Strategic Risk Assessment 13
Using ERM as a strategic advantage Low value ERM Compliance focused Large inventory of risks and extensive risk mapping Risk mitigation to safeguard the organization Risk management activities are separate from strategic and operational decision-making Perceived as a necessary effort Delegated to lower level staff High value ERM Value and opportunity focused Fewer risks focused on significant gains/losses Risk optimization to maximize value Risk management is incorporated in strategic and operational decision-making Perceived as a cultural imperative Participation at all levels of the organization 14
Getting your ERM initiative started Seek board and senior management leadership, involvement, and oversight Select a strong leader to drive the ERM initiative Establish a risk management committee or working group From COSO: Embracing Enterprise Risk Management Perfect is the enemy of good enough! The most important thing is to get started 15
ERM the project Phase 1 Phase 2 Phase 3 Phase 4 Phase 5 Understand Business Environment Develop Risk Universe and Assess Risks Determine Risk Responses Design Ongoing ERM Processes Monitor Risk Universe Train and embed ERM guiding principles and processes 16
Implementing ERM Review relevant documentation Conduct an ERM kick-off meeting Conduct an introductory training session for senior management Facilitate Board dialog on risk Interview senior management and select Board of Directors Establish a committee responsible for risk management processes and activities PHASE 1 UNDERSTAND THE BUSINESS ENVIRONMENT 17
Implementing ERM Define the glossary of risk terminology Establish a framework for describing and evaluating risks Create risk register Confirm and hone the list with management Evaluate risks, assessing risk impact, likelihood, velocity, duration Identify risk categories and common themes Prioritize risks PHASE 2 DEVELOP RISK UNIVERSE AND ASSESS RISKS 18
Risk evaluation framework IMPACT Overall Risk Rating Description Low Medium High Strategy Achievement of strategic goals is delayed; customers are inconvenienced; minimal attrition can be expected (<1%) Achievement of strategic goals are blocked / management must reconsider initiatives; customer attrition is likely Existential risk to the organization; significant impediment to attracting and retaining customers Operations Financial Personnel Technology Changes required may be accomplished within operating budget parameters without significantly affecting other initiatives Changes require significant use of resources and requires Board action; unrestricted net assets stays mostly intact (<=$500k) Changes require significant use of resources and requires Board action; significantly erodes unrestricted net assets (>$500k) Legal / Compliance Low probability of successful lawsuit / sanctions against the organization (<15%); financial exposure is minimal (<$10,000) Heightened probability of successful lawsuit / sanctions against the organization (15%-50%); financial exposure would leave unrestricted net assets mostly intact (<=$500k) High probability of successful lawsuit / sanctions against the organization (>50%); financial exposure of a successful suit significantly erodes unrestricted net assets (>$500k) Fraud Minor amount of resources affected by fraud. Control structure exists, but does not operate sufficiently to prevent/deter/detect fraud. Significant amount of resources affected by fraud. Control structure exists, but does not operate sufficiently to prevent/deter/detect fraud -or- Minor amount of resources affected by fraud, but control structure is insufficient to prevent/deter/detect fraud (control design weakness). Significant amount of resources affected by fraud. Control structure is insufficient to prevent/deter/ detect fraud (control design weakness). Opportunity Little or minimal loss of potential revenue opportunity by not mitigating the identified risk Material loss of potential revenue (<=$500k) opportunity Significant loss of potential revenue (>$500k) opportunity Reputation Little to no external reaction expected; only a small constituency or interest group takes note External reaction expected from a broad constituency or interest group, but unorganized Significant external reaction expected from a broad constituency or interest group; risk event is noted on a national scale; causes constituents to organize against the organization or distance themselves from the organization 19
Risk evaluation framework Overall Risk Rating Description Low Medium High VELOCITY Speed which risk creates impact Slow (Greater than 24 months) Moderate (12-24 months) Fast (Less than 12 months) Anticipated duration that impact will be felt Short (Less than 6 months) Moderate (6-12 months) Long (Greater than 12 months) LIKELIHOOD Remote Unlikely Possible More Likely than Not Probable Nearly Certain Probability of Occurrence < 5% in one year -oronce in 20 years 5-20% in one year -oronce in 15-20 years 20-40% in one year -oronce in 10-15 years 40-60% in one year -oronce in 5-10 years 60-80% in one year -oronce in 2-5 years > 80% in one year -oronce in 1-2 years 20
Sample risk categories Strategy Operations Technology Personnel Finance Compliance Regulations Reputation Governance Fraud Environment 21
Overall Impact Strategy Operations Financial Compliance Fraud Legal Personnel Opportunity Reputation Technology Likelihood Velocity Duration Trend Sample risk register ample Risk Catalog IMPACT Risk Area Short name Risk Description Emergency Business continuity Failure to recover from an event that significantly preparedness disrupts operations and threatens business continuity Emergency preparedness Emergency preparedness Natural disasters Violence or Terrorism Failure to maintain practices for emergency/disaster preparedness in the event of natural disasters An act of violence / terrorism affects the facility or neighborhood, resulting in business interruption, injury, or damage to facilities. Financial Exchange rate volatility Impact of exchange rate variations when doing business internationally Financial Financial fraud Failure to protect the organization against any financial (e.g., treasury and cash management) fraud or malpractice Brand Protecting IP Failure to adequately protect intellectual property from unauthorized access or sharing by users High Low High High Low Low Low Low Low Low Low Possible Fast Short Increasing High Low High Medium Low Low Low Low Low Low Low Remote Fast Medium Steady High Low High Medium Low Low Low Low Low Low Low Remote Fast Medium Steady Medium Low Low Medium Low Low Low Low Low Low Low Possible Fast Short Increasing High Low Low High Medium High Medium Low Low High Low Remote Slow Medium Steady High Low Low High Low Low Low Low Low Low Low More Likely than Not Medium Medium Increasing Strategy Government funding, mandates, and embargos Failure to adapt to the shift in government funding to agencies and research institutions, as well as to mandates and embargos on government funding Medium Medium Low Medium Low Low Low Low Low Low Low Probable Medium Long Increasing Technology IT security practices Failure to create and maintain adequate security measures to safeguard against threats, including security policies and procedures High Low High High Low Low Low Low Medium Low High Possible Medium Medium Increasing Technology Protect enterprise data Failure to properly secure enterprise data from data servers and employee computers High Low Medium High Low Low Low Low Low Medium Medium Possible Fast Medium Steady 0 Technology Protect malicious activity of Failure to adequately monitor and protect access to Medium Low Medium Medium Low Low Low Low Low Medium Medium Possible Medium Medium Steady vendors various SaaS (cloud-based) systems from malicious usage by vendors 22
Implementing ERM Map risk management activities Ascertain institutional risk tolerance/appetite Assess gaps in risk response capabilities Develop an action plan to further reduce risk exposure Review analysis and plans with executives and the Board Execute approved action plans PHASE 3 DETERMINE RISK RESPONSES 23
ERM working document Risk Events Current Risk Profile Current Risk Mitigation Activities Required Action Items Future Risk Profile Impact Likelihood Impact Likelihood 1 2 3 4 5 6 7 8 9 24
Tips for improving your ERM efforts Align responses to your risk appetite Description Action Intolerable Highly undesirable Manageable Negligible Completely avoid/eliminate risk Accept risk only if essential and there is a limited possibility/extent of failure Accept risk if benefits outweigh negative consequences (justified risk) Manage impacts Accept possibility of failure if it maximizes returns monitor risk for changes in risk profile 25
LIKELIHOOD Sample ERM heat map Area of Focus: Technology RISK EVENTS H 1 1 2 Cyber threats Back-up and recovery 3 Optimizing systems 4 5 6 IT governance Access to budgets Technology investments M 9 10 3 6 4 7 5 8 2 7 8 Help desk Policies & procedures 9 Mobility 10 Availability/reliability 11 Supplier/contractor activity L 11 12 13 12 13 End-user training Balancing costs L M H IMPACT 26
Implementing ERM Design continuous risk assessment process that is embedded in the ERM program Design monitoring and event identification process Align strategic planning with ERM processes Design communication and reporting process Create long-term awareness and training plan PHASE 4 DESIGN ONGOING ERM PROCESSES 27
Implementing ERM Monitor changes to identified enterprise risks Discuss new and emerging risks Reassess action plans Update risk universe and prioritization Report progress to executives and the Board PHASE 5 MONITOR RISK UNIVERSE 28
Benefits of ERM Create clarity of definition and consensus regarding risk Protect assets of the organization, especially reputation Prevent/reduce impact of risks Provide transparency and accountability Increase constituent confidence Unify behavior/culture around risk management Establish linkage to strategic planning Prioritize allocation of resources (to most significant risks) Support mission success 29
Additional resources for management, Board members, and audit committees Publications for not-for-profit organizations www.grantthornton.com/nfp 30
Questions / Comments 31
Contact information Paul Klein Managing Director Not-for-Profit Atlantic Coast Market Territory Business Advisory Services Leader T 215.814.1736 E Paul.Klein@us.gt.com 32