Professional Documents
Culture Documents
Agenda
ERM 101 2
Case study 28
Lessons learned 34
Q&A 38
1 Practical Enterprise Risk Management (ERM) Copyright © 2012 Deloitte Development LLC. All rights reserved.
ERM 101
1
9/5/2013
What is risk?
An effective ERM program mayhelp not only preserve value in the traditional risk
management sense but also help create value for the respective organizations
3 Practical Enterprise Risk Management (ERM) Copyright © 2012 Deloitte Development LLC.All rights reserved.
What is ERM?
4 Practical Enterprise Risk Management (ERM) Copyright © 2012 Deloitte Development LLC. All rights reserved.
5 Practical Enterprise Risk Management (ERM) Copyright © 2012 Deloitte Development LLC.All rights reserved.
2
9/5/2013
What is ERM?
ERM can integrate siloed risk management efforts to focus organization
on key risks
6 Practical Enterprise Risk Management (ERM) Copyright © 2012 Deloitte Development LLC.All rights reserved.
Why ERM?
7 Practical Enterprise Risk Management (ERM) Copyright © 2012 Deloitte Development LLC. All rights reserved.
3
9/5/2013
management of risk
Legend
Areas of Immediate Continuous Extends Beyond 12
Focus Improvement Months
9 Practical Enterprise Risk Management (ERM) Copyright © 2012 Deloitte Development LLC. All rights reserved.
speed of onset)
plan
10 Practical Enterprise Risk Management (ERM) Copyright © 2012 Deloitte Development LLC. All rights reserved.
Identify
where risk is
manifested
in the
organization
11 Practical Enterprise Risk Management (ERM) Copyright © 2012 Deloitte Development LLC.All rights reserved.
4
9/5/2013
12 Practical Enterprise Risk Management (ERM) Copyright © 2012 Deloitte Development LLC.All rights reserved.
13 Practical Enterprise Risk Management (ERM) Copyright © 2012 Deloitte Development LLC. All rights reserved.
of risk management
= • Business Decisions
management might take to
control risk is willing to accept to
14 Practical Enterprise Risk Management (ERM) Copyright © 2012 Deloitte Development LLC.All rights reserved.
5
9/5/2013
q Risk appetite is the criteria used to assess and prioritize the identified potential
risks
– Vulnerability: The remaining impact of the risk (residual) which takes into
account any controls/ strategies/ mitigation factors.
15 Practical Enterprise Risk Management (ERM) Copyright © 2012 Deloitte Development LLC.All rights reserved.
MEDIUM 3 rating: Regional media Decline in customer Moderate interruptions Unplanned loss of Moderate or routine
(3 Rating) Greater than $XX attention satisfaction of business operations several employees federal and state
million and less than of 1 or more divisions litigation subject to
$XX million impact on Some negative impact Impact on sales or countries Some impact on substantial fines or
earnings before taxes on reputation and employee relations, penalties, subject to
brand, not likely to Potential losses are retention rates, and regulatory proceedings
have long-lasting likely recoverable in morale and/or hearings
impact the short term (12 - 24
months)
LOW 2 rating: Minimal local media Minimal or isolated Moderate interruptions Unplanned loss of a Unlikely or remote
(1-2 Rating) Greater than $XX attention impact on customer of business operations single employee chance of criminal
million and less than satisfaction w ithin 1 division or enforcement, civil
$XX million impact on Minimal or no negative country No impact on enforcement, and/or
earnings before taxes impact on reputation Minimal complaints employee relations, litigation
and brand w ith and recovery costs Potential losses are retention rates, and
1 rating: primarily short-term considered to be morale
Less than $XX million impact temporary (less than
impact on earnings 12 months)
before taxes
16 Practical Enterprise Risk Management (ERM) Copyright © 2012 Deloitte Development LLC. All rights reserved.
MEDIUM Mitigation/monitoring Risk affects a Moderate level of internal Process is in place but is in need of Moderate data & system
(3 Rating) plans need to be medium # of staff capable of managing improvement (e.g., may be overly performance, reliability, and
updated and/or improved transactions or a risk potential complex or manually driven) validity issues
medium # of
processes Moderate access to Monitoring, testing and/or reporting of Moderate level of change
resources process needs improvement required to systems as a
Moderate result of risk event
subjectivity to Moderate level of change Moderate level of change required to
judgment and experienced by resources business process as a result of risk event
estimation as a result of risk event
LOW 2 rating: Risk affects a low Sustainable level of Clear, effective and consistently follow ed Minimal data & system
(1-2 Rating) Mitigation/monitoring # of transactions employees capable of process to manage the risk is in place performance, reliability and
plans are in place, or a low # of managing risk potential validity issues
consistently applied and processes and low Any necessary monitoring, testing and/or
routinely tested; subjectivity to Readily available reporting of process has been effectively Minimum level of changes
judgment and resources implemented required to system as a result
1 rating: estimation of risk event
Mitigation/monitoring Minimal level of change Minimal level of change required to
plans are an integral part experienced by resources business process as a result of risk event
of standard operations as a result of risk event
17 Practical Enterprise Risk Management (ERM) Copyright © 2012 Deloitte Development LLC.All rights reserved.
6
9/5/2013
SPEED OF ONSET – How quickly could this risk event occur, i.e., how much time would
GLDD have to react?
Criteria Definition
HIGH Very rapid onset;little or no warning, instantaneous.
(4-5 Rating)
18 Practical Enterprise Risk Management (ERM) Copyright © 2012 Deloitte Development LLC.All rights reserved.
R CI
Risk appetite/tolerance discussions with executives Assess/ Redeploy Measure for
Resources Cumulative
and board will help define “High”, “Medium” Impact
and “Low” for each of these components
L Vulnerability H
*MARCI chart used with permission of Deloitte Development LLC. All Rights Reserved.
19 Practical Enterprise Risk Management (ERM) Copyright © 2012 Deloitte Development LLC. All rights reserved.
B ID Risks
A
D A Foreign Exchange Rate
E B Competition
F I C Transfer Pricing
K H
D Debt Management
G
L E Contracts
Assure Risk Mitigation Enhance Risk
is Effective Mitigation F Financial Accounting
Medium
Impact
M J G Information Security
N H Cash Management/Liquidity
C I Regulatory Compliance
J Quality
K Succession Planning
L Reputation
M Intellectual Property
Redeploy Measure for N Insurance Coverage
resources Cumulative Impact
Low
Vulnerability
20 Practical Enterprise Risk Management (ERM) Copyright © 2012 Deloitte Development LLC.All rights reserved.
7
9/5/2013
5. Quantify risk
Perform risk quantification on key risks identified from risk prioritization
21 Practical Enterprise Risk Management (ERM) Copyright © 2012 Deloitte Development LLC.All rights reserved.
Alternative Responses:
1. NFA – Appropriate assurance activities
H Alternative Responses:
1. NFA – Appropriate response currently
Assurance of Enhance Risk
exist, confirm accountability/metrics Preparedness Mitigation underw ay – Confirm accountability/metrics
and monitor and monitor
2. ACT – Conduct additional assurance 2. ACT – Do something now to mitigate risk
activities now or otherw ise add to audit A M and/or exploit opportunity
plan 3. LEARN MORE – Further inquiry
3. LEARN MORE – Further inquiry necessary/deep dive
Impact
necessary/deep dive
R CI
No immediate action planned Measure for Confirm accountability/metrics and monitor
Assess Cumulative
Resources Impact
L Vulnerability
H
22 Practical Enterprise Risk Management (ERM) Copyright © 2012 Deloitte Development LLC. All rights reserved.
23 Practical Enterprise Risk Management (ERM) Copyright © 2012 Deloitte Development LLC.All rights reserved.
8
9/5/2013
• Activity 2
• Activity 3
• Activity 4
Key Metrics:
• Metric 1
• Metric 2
• Metric 3
• Metric 4
• Metric 5
24 Practical Enterprise Risk Management (ERM) Copyright © 2012 Deloitte Development LLC.All rights reserved.
25 Practical Enterprise Risk Management (ERM) Copyright © 2012 Deloitte Development LLC. All rights reserved.
26 Practical Enterprise Risk Management (ERM) Copyright © 2012 Deloitte Development LLC.All rights reserved.
9
9/5/2013
27 Practical Enterprise Risk Management (ERM) Copyright © 2012 Deloitte Development LLC.All rights reserved.
Case study
Background
Firm B was seeking to develop a Risk Self-Assessment (RSA) Manual to be used
within the business units (BU) to enable specific and consistent methodology for
the assessment of risk.
Project Sponsor
Chief Risk Officer (CRO)
29 Practical Enterprise Risk Management (ERM) Copyright © 2012 Deloitte Development LLC.All rights reserved.
10
9/5/2013
30 Practical Enterprise Risk Management (ERM) Copyright © 2012 Deloitte Development LLC.All rights reserved.
31 Practical Enterprise Risk Management (ERM) Copyright © 2012 Deloitte Development LLC. All rights reserved.
32 Practical Enterprise Risk Management (ERM) Copyright © 2012 Deloitte Development LLC.All rights reserved.
11
9/5/2013
33 Practical Enterprise Risk Management (ERM) Copyright © 2012 Deloitte Development LLC.All rights reserved.
Lessons learned
Leading practices
• Risk management should be integrated into corporate culture, starting at the
Board level and with the governance capability.
• Ensure the ERM fundamentals, i.e., the framework, methodology, and tools are
established before developing more advanced risk management practices
• Buy in from CEO and executive team is imperative to the program’s success
• Elevated CRO visibility and responsibility: direct reporting to the board and/or
CEO, and increasing frequency of CRO executive sessions with the board
• The integration of ERM with other management practices (performance
management, process management, compliance management, quality
management, etc.)
• Leaders actively shape their risk culture into something purposeful that is
aligned with business strategy — and where each employee takes personal
responsibility for managing risk in their work every day understands how to
make the right risk-based decisions
• Integration of risk discussions and ERM monitoring into everyday business is
essential – not a documentation exercise
• Build common language and common metrics
35 Practical Enterprise Risk Management (ERM) Copyright © 2012 Deloitte Development LLC. All rights reserved.
12
9/5/2013
Potential challenges
• ERM training is still limited to risk specialists and people directly involved in the
Risk Management activities
• Just in this past decade, many companies’ failures were the result of bad
decisions on the part of a handful of people – in these cases, the human factor
is the root cause
• In the midst of the recent economic challenges, many companies with well-
established ERM functions, processes, and controls still failed
• Missing the cultural and organizational components that may help guard against
ineffective or just plain poor decision-making on the part of individuals
• ERM processes are implemented but organizations may still face challenges
with respect to effective monitoring and reporting
• Lack of awareness is a common barrier to effectiveness
36 Practical Enterprise Risk Management (ERM) Copyright © 2012 Deloitte Development LLC. All rights reserved.
Current trends
• There is increasing link between risk and performance management
• More emphasis has been put on risk related to strategy and its execution
• The focus is shifting from the unrewarded risks to the rewarded risks
• The role of HR in managing risk is expanding
• Social media risk rivals financial risk as an area of concern
• Continuous risk monitoring is rare today, but on the rise
• The Changing Role of Internal Auditors is not just focused on risk mitigation but
also value creation
• Data integrity and data analysis become increasingly important as systems are
integrated and reporting needs increase
• Boards have been increasingly proactive in risk management and this will likely
continue
• The CRO is increasingly a more senior executive position
37 Practical Enterprise Risk Management (ERM) Copyright © 2012 Deloitte Development LLC. All rights reserved.
Q&A
13
9/5/2013
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering
accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is
not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action
that may affect your business. Before making any decision or taking any action that may affect your business, you
should consult a qualified professional advisor.
Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on
this presentation.
14