Enterprise Risk Management Montana State Fund Report to the Board January 28, 2011 Presented by: Mary Peter, Director of Enterprise Risk Management
Enterprise Risk Management (ERM) Defined An integrated approach to addressing all forms of risk to an organization A top-down assessment of risk and opportunity for the organization as a whole A process to align risk strategies to support further growth and protect existing assets A proactive approach to the increased visibility of how risk is managed in an organization ERM leads to informed decision-making and helps preserve and enhance value It is different to every organization and industry
ERM Has Evolved Historical View Hazard Risk Management Insurable financial risks Focus on preservation of tangible assets Silo Approach Each department/function manages its risks independently Risk management = separate function Risks are threats - Focused on avoidance of negative events Today Enterprise Risk Management Operational, strategic, financial reputation and insurable risks Recognition of the value of tangible and intangible assets Holistic approach Coordinated at the highest level within the organization Risk management is a corporate wide daily concern and is embedded in the operations Risks can be threats and opportunities
Drivers of ERM Board of Directors Demand increased financial disclosure and transparency Stakeholders Demand evidence that management understands and manages risks Regulators/Rating Agencies Seek assurance around compliance and risk assessment processes Credit and Rating Analysts Asking organizations to report risks in a forward-looking context Activists Demand social awareness, safety & environmental consciousness Customers Make decisions based on differentiating factors Peers Comparison with others drives industry-wide practice Competitors Push innovation, drive leadership
Sample Rating Agency Classifications Excellent Strong Adequate Weak Advanced capabilities to identify, measure & manage all risks within tolerances Advanced implementation, development & execution of ERM parameters Consistently optimizes risk adjusted returns throughout organization Clear vision of risk tolerance and overall risk profile Risk Control exceeds adequate for most major risks Has robust processes to identify and prepare for emerging risks Incorporates risk management & decision making to optimize risk adjusted returns Has fully functioning control systems in place for all major risks May lack a robust process for identifying and preparing for emerging risks Not fully developed process to optimize risk adjusted returns Incomplete control process for one or more major risks Inconsistent or limited capabilities to identify, measure or manage major risk exposures Note: These are classifications S&P uses in their ERM evaluations for insurance companies and may or may not be used for nonfinancial companies.
ERM, Risk-Focused Exam, & MAR ERM 1. Establish the Foundation 2. Identify the Risks 3. Assess the Risks 4. Evaluate the Risks 5. Execute Risk Response 6. Monitor & Review as necessary Risk-Focused Exam 1. Understand the Company 2. Inherent Risk Review 3. Risk Control Review 4. Determine Residual Risk & Perform Gap Analysis 5. Communicate Findings 6. Monitor Findings Model Audit Rule 1. Tone at the Top 2. Identify Key Statement Accounts 3. Document Processes, Data Sources, Perform Walkthrough 4. Identify and Test Key Controls, Evaluate Effectiveness 5. Recommendation & Remediation; Repeat Until Effective 6. Reporting & Management Attestation 6
Benefits and Value of ERM More Effective Strategic Planning More accurate financial forecasts and projections More informed and accurate budgetary planning More accurate resource planning Increased Understanding of Exposure to Risk Improved Decision Making Enhanced Market Perception Reduced exposure to controllable events Response time improves when risks are anticipated Reduced disruptions to on-going operations More informed and fact based decision making Improved future resource requirements planning Reduced wasteful spending on unnecessary expenditures Improved credit agency ratings Enhanced perception of shareholder value by minimizing losses and maximizing opportunities Enhanced Internal Culture and Operations Improved productivity with awareness of risk exposure Increase strength of culture with adoption across the organization Increased awareness of business operations for management
Integration of ERM & Strategic Planning Montana State Fund Strategic Business Plan for 2011 Enterprise Risk Management applies directly to: Enterprise-wide initiatives, specifically Infrastructure Key Performance Indicator Establish an enterprise-wide definition and common understanding of Montana State Fund s risk tolerance, how it impacts what we do and what creative and cost-effective opportunities exist to minimize our exposure to potentially catastrophic actions or events. Success Measures No. 3 Train and educate leadership by October 2010 Success Measure No. 4 - Establish the ERM framework by May 2011 with specific steps Guiding Principles enter into strategic partnerships; continuous improvement Key Success Measures No. 6. Achieve Enterprise-Wide Initiatives
Role of Eide Bailly ERM Team Hands-On Team Approach: Our team facilitates the full six step ERM process along with MSF s designated leaders MSF makes all management, risk, control, and any risk-related decisions with respect to the ERM process and plan Communication is the key
MSF ERM Roles & Responsibilities Role ERM Sponsors ERM Executive Oversight Team ERM Project Team Leadership ERM Project Team Executive sponsors of the ERM program Responsibilities Communication of the ERM program sets the tone at the top Reviews recommendations for MSF ERM Reviews ERM related information for alignment with culture and mission Knowledgeable in their industry and how ERM will benefit the company and its constituents Assists in facilitating workshops and interviews to obtain inter related risk discussions Able to identify ERM risks, including emerging risks with project team Cross-functional Working Team will do risk identification, risk assessment and risk response planning Assists in designing customized ERM program and outcomes; aligning them with company s goals & objectives Assists in developing the ERM process, communications, and monitoring Reviews data and makes recommendations
Simplified ERM Approach Six Steps Step 1: Establish the ERM Foundation Align your risk appetite with your strategic plan. Develop long term objectives and short term milestones. Step 2: Identify Risks Determine where, when and how events could prevent, degrade or delay the success of your organization. Utilize interviews, surveys, documentation review and facilitated workshops. Step 3: Assess Risks Review the residual risk that remains. Consider interdependencies of risks. Step 4: Evaluate Risks Maximize the opportunity of well-managed risks to create value for your organization. Amend risk response to better manage or mitigate risks and prioritize. Create a risk response strategy. Step 5: Execute Risk Response Plans Define risk owners and consider a practical risk/reward approach. Finalize a communication plan and customize reporting. Step 6: Monitor ERM Review the ERM program at regular intervals. Keep communication alive with a customized communication plan.
SAMPLE Risk Matrix (fictional risks)
SAMPLE Risk Matrix (fictional risks)
Impact Risk Reports Sample Heat Map 10 Risk Two 7.5 Risk Five Risk Six 5 Risk One 2.5 Risk Four Risk Three 0 0 2.5 5 7.5 10 Likelihood 14
Montana State Fund - Project Calendar Today October 2010 November 2010 December 2010 January 2011 February 2011 March 2011 April 2011 May 2011 June 2011 Step 1 Establish the Foundation Step 2 Risk Identification Step 3 Risk Assessment Note: This calendar represents the current timeline. All timelines and dates are subject to change based on the meeting availability, onsite scheduling and information gathering.
Questions? Mary Peter, Director of Enterprise Risk Management mpeter@eidebailly.com 866-585-9050