and Risk Tolerance in an Effective ERM Program

Transcription

1 The Roles of Risk Appetite and Risk Tolerance in an Effective ERM Program Eric Gerner, Risk Advisory Services Director Tuesday, July 10, 2012 General Information Share the webinar Ask a question Votes (polling questions) Rate (before you leave) Attachments (you can download today s presentation) Experis Tuesday, July 10,

2 Earning CPE Credit To receive 1 CPE credit for this Webinar, participants must: Attend the Webinar for at least 50 minutes on individual computers (one person per computer) Answer polling questions asked throughout the Webinar Experis Tuesday, July 10, Meet our Presenter Eric Gerner, Director of Risk Advisory Services Eric.Gerner@experis.com com (703) Experis Tuesday, July 10,

3 Agenda ERM Overview Overview of Risk Appetite and Tolerance Examples and Communication Alignment with Governance Experis Tuesday, July 10, What is Enterprise Risk Management (ERM)? A structured and disciplined approach that supports the alignment of strategy, processes, people, technology and knowledge as an organization evaluates and manages the uncertainties it faces in order to attain its goals Aligns corporate goals with associated risks Reduce potential loss and increase potential gain Transparency for Board of Directors and Management Integrate into the operations of the business Experis Tuesday, July 10,

4 Standard & Poor s view of ERM An approach to assure the firm is attending to all risks A set of expectations among management, shareholders and the board about which risks the firm will and will not take A set of methods for avoiding situations that might result in losses that would be outside the firm s tolerance A method to shift focus from cost / benefit to risk / reward A way to help fulfill a fundamental responsibility of a company s board and senior management A toolkit for trimming excess risks and a system for intelligently selecting which risks need trimming A language for communicating the firm s effort to maintain a manageable risk profile Experis Tuesday, July 10, Components of ERM Goals and Objectives Enterprise Risk Management Language Governance Process Experis Tuesday, July 10,

5 Risk Universe Structure at a Glance RISK Categories Compliance Financial Strategic Operational Corporate Level Compliance Financial Strategic Operational Operating Units Compliance Strategic Financial Operational Experis Tuesday, July 10, Alignment of Appetite and Tolerance Based on the organization s risk appetite specific tolerances are applied to achieve objective as risk, threat and potential negative result are managed Goals and objectives Risk Appetite Risk Tolerance Risk Tolerance Risk Tolerance Risk Tolerance Experis Tuesday, July 10,

6 Polling Question #1 Which of the following is NOT a component of ERM: A. Aligns corporate goals with associated risks B. Reduce potential loss and increase potential gain C. Transparency for Board of Directors and Management D. A substitute for management s judgment E. Integrate into the operations of the business Experis Tuesday, July 10, The ERM Maturity Model Develop internal buy-in and benefits awareness Perform Diagnostic of existing Risk Mngt program Develop Governance structure Develop Risk Universe and language Execute a Risk Assessment Develop priorities from Assessment Assign responsibility for respective risks Define Appetite and Tolerance Integrate into strategic initiatives Align with senior leadership on the key risks Initiate risk reporting and monitoring Leverage Risk Committee to review risks and the effectiveness of risk mitigation Evaluate risk tolerances and policies / authorities Expand risk reporting Integrate risk based decisions into mgmt s daily operations Integrate Internal Audit with ERM assessment and monitoring Adjust from cost/benefit to risk/reward decision process Leverage risk management to competitive advantages in the market Integrate continuous monitoring of key risk indicators into risk reporting Timeline Experis Tuesday, July 10,

7 COSO Definition of Risk Appetite The amount of risk on a broad level an organization is willing to accept in pursuit of value. It reflects the entity s risk management philosophy, and in turn influences the entity s culture and operating style Experis Tuesday, July 10, Risk Appetite Tone at the top risk perspective, set by the Board of Directors Is strategic and is related to the pursuit of organizational objectives Boundaries within which the company is willing to operate Define the willingness to engage in business activities with the associated types of risks The nature of the control structure associated with the management of the associated risks With this guidance, managers should have an enhanced perspective to interpret various high level and critical factors of risk to apply key business decisions Basis to apply judgment for the aggressiveness with which to pursue activities and objectives Experis Tuesday, July 10,

8 COSO Definition of Risk Tolerance The acceptable level of variation relative to achievement of a specific objective, and often is best measured in the same units as those used to measure the related objective Experis Tuesday, July 10, Risk Tolerance The means to operationalize the risk appetite throughout the organization Provide clarity on management s evaluation of its business activities and objectives towards its goals Tactical link of individual risks to the strategic goals Create the measureable components for monitoring the alignment of progress with the goals and objectives How do you determine them what are the assumptions for the range of acceptable performance built into the corporate goals Leading/lagging indicators Leverage from existing performance metrics Creates transparency for Board/Management monitoring Experis Tuesday, July 10,

9 Three Steps to Risk Appetite and Tolerance A. Develop B. Communicate C. Monitor and Update Experis Tuesday, July 10, A. Develop Provide effective communication of risk throughout the organization Applied to cover all categories of risk Must be preceded by discussions of strategy and objectives Develop through Facilitated discussions Discussions related to objectives and strategies Development of performance models Experis Tuesday, July 10,

10 Sample Risk Universe INTERNAL RISKS Operational Resource Strategic Client/Partner Change Order Client Expectations Client Indecision Client Interferences Client Management Turnover Client Response Time Errors in Client Information New Client Selection Process Schedule Available Bidding Time Completion Deadlines and Milestones Force Majeure Logic and Update Resource Management Control Warranty Quality Testing Design Constructability Plan Coordination Process/Technology Scope Completeness Execution Business Interruption Change Order Management Environment Logistics Site Safety Procurement Bondability Timeliness of Buy-Out Commodity Coordination Performance Sub Profile Workload Estimating Adjustments Price Quantity Trade Coverage Legal Contract Types Dispute Management Employment Contractual Misinterpretations Non-Performance Terms and Conditions Third Party Integrity Fraud Illegal Acts Program Development Feasibility Needs Analysis Financial Capital Availability Collectibility Interest Rate Investment Evaluation Liquidity Surety Tax People Adaptability Competencies Availability Critical Person Turnover Information Accuracy Measurement Alignment Security/Control Technology Availability Timeliness Usefulness Brand Erosion Business Model Communication Incentive Alignment Market Diversification Market Penetration Organization Structure Succession EXTERNAL RISKS Regulatory Environment Competitor Market Changes in Law Compliance Catastrophic Community Political Trade Labor Availability Key Relationships Core Competencies Demand ERM Strategies for Internal Audit 15 Experis Goals: Tuesday, 1. Financial July 10, Targets Market Mix/Penetration 3. Progress Towards Establishing Future Goals 4. Employee/Customer19 B. Communicate Risk Appetite Statement Means to communicate the company s willingness to engage in risk: Overall risk appetite with broad statements Risk appetite for each major class of organizational goals Risk appetite for different categories of risk Provide a lens through which all levels of management may obtain guidance on the willingness to accept the risks associated with business activities in which the company may engage to achieve our corporate goals and objectives A strategic statement and directly related to organizational objectives An integral part of corporate governance A guidance document regarding the allocation of resources A general directive on infrastructure/supporting activities in pursuit of organizational objectives Experis Tuesday, July 10,

11 Risk Appetite Qualitative view Universal Risk Universe - Key Categories Risk Threshold Control Structure Earnings volatility 4 5 Liquidity 3 4 Capital Requirements 1 2 Changing economic conditions 3 4 Customer satisfaction 1 2 Reputation 2 3 Information Security and accuracy 2 3 Regulatory Standing 1 2 Fraudulent/unethical activity 1 1 Employee turnover 3 4 Experis Tuesday, July 10, Risk Appetite example Experis Tuesday, July 10,

12 Risk Appetite example Quantitative view Capital Levels The Company will accept risks to the extent that it can maintain a capital level el of $ less than each of the three well capitalized regulatory capital requirements for financial institutions. Earnings Performance The Company will accept risks to the extent that it can maintain a Return on Equity within the top quartile of its peers. Liquidity The Company takes a conservative position with respect to liquidity, idit avoiding risks that t may reduce its secured liquidity to less than $ million. Asset Quality The Company will actively mitigate risks potentially leading to a net charge-off/total loans ratio exceeding %. Experis Tuesday, July 10, Risk Appetite example Quantitative view (continued) Growth The Company is open to investments and/or new products having a potential rate of return rn of greater than %, as long as there is low to moderate risk of loss during the first year of operation. Compliance The Company is committed to fulfilling all of its regulatory obligations, and will take all actions necessary to avoid any risk of non-compliance (zero tolerance). Reputation The Company does not accept any risks with even a moderate likelihood lih of creating loss of public, customer, stakeholder or employee confidence and/or adverse media coverage. Experis Tuesday, July 10,

13 C. Monitor and Update Means to review the application of risk appetite Accomplished through specifics identified with risk tolerances / performance metrics Incorporated into ERM reporting and dashboards Internal Audit can provide independent insight on the accuracy and alignment of tolerances Experis Tuesday, July 10, Polling Question #2 Which of the following is NOT a key component or Risk Appetite A. Established by the Board of Directors B. Can be communicated through a Risk Appetite Statement C. Can be either Qualitative or Quantitative D. Should be similar between all companies within a given industry Experis Tuesday, July 10,

14 Sample Risk Universe INTERNAL RISKS Operational Resource Strategic Client/Partner Change Order Client Expectations Client Indecision Client Interferences Client Management Turnover Client Response Time Errors in Client Information New Client Selection Process Schedule Available Bidding Time Completion Deadlines and Milestones Force Majeure Logic and Update Resource Management Control Warranty Quality Testing Design Constructability Plan Coordination Process/Technology Scope Completeness Execution Business Interruption Change Order Management Environment Logistics Site Safety Procurement Bondability Timeliness of Buy-Out Commodity Coordination Performance Sub Profile Workload Estimating Adjustments Price Quantity Trade Coverage Legal Contract Types Dispute Management Employment Contractual Misinterpretations Non-Performance Terms and Conditions Third Party Integrity Fraud Illegal Acts Program Development Feasibility Needs Analysis Financial Capital Availability Collectibility Interest Rate Investment Evaluation Liquidity Surety Tax People Adaptability Competencies Availability Critical Person Turnover Information Accuracy Measurement Alignment Security/Control Technology Availability Timeliness Usefulness Brand Erosion Business Model Communication Incentive Alignment Market Diversification Market Penetration Organization Structure Succession EXTERNAL RISKS Regulatory Environment Competitor Market Changes in Law Compliance Catastrophic Community Political Trade Labor Availability Key Relationships Core Competencies Demand ERM Strategies for Internal Audit 15 Experis Goals: Tuesday, 1. Financial July 10, Targets Market Mix/Penetration 3. Progress Towards Establishing Future Goals 4. Employee/Customer27 Inherent Risk - Top 10 by Group Risk Ranking Risk Classification Risk Category Risk Senior & Other Senior Other Resource Capital / Liquidity Capital access / availability / allocation Resource Capital / Liquidity Liquidity Resource People Morale / productivity Resource Capital / Liquidity Secondary marketing Operational Integrity Credit Policy Adherence Strategic Strategic New business evaluation Operational Integrity Tone at the Top Strategic Strategic Cost control / budget discipline Operational Deposit Base Management Attracting deposit accounts Strategic Strategic Brand reputation / recognition Strategic Strategic Media attention External Regulatory Compliance Cooperation with regulators 41 31` 47 Experis Tuesday, July 10,

15 Jan-01 Feb-01 Mar-01 Apr-01 May-01 Jun-01 Front Office Middle Office Ope rations Accounting IT 7/10/2012 Tolerances example: Executive Risk Report We would expect the audience would include executives such as: Board CEO COO CFO Senior managers Senior finance managers Risk management Bonding Staff Turnover % Bonding Utilization Versus Margin At Risk project profits Business Unit 8% 6% 4% 2% 0% M arg in o n Bonded Work Jan- 01 Feb- 01 Mar- 01 Apr- 01 May- 01 Staff turnover by Project/Dept Key Risk Indicators On Target Fundamental Value Trend Change orders 12 Schedule delays 90 Customer mix 76 Unbonded subs 60 Labor productivity 55 Risks by Business Area Business Unit Overall Customer Satisfaction 0% 20% 40% 60% 80% 100% 1 91% 2 42% 3 87% 4 82% 5 63% Safety Events By Geographical Region 11% 16% 5% Sample Commentary Staff turnover continues to require new untested staff on key projects ABC project has change orders that exceed owner s loan balance Employees say they don t know how to use existing systems 30% of projects have negative float on critical path Financial reports from Division don t tie to detail records 47% 21% Experis Tuesday, July 10, Governance Key Risk Questions Is there a process for reporting risk and performance? Does the organization structure support risk reporting? Reporting Strategy Is there a process for assessing risk and capabilities? Is Board advised of mission-critical risks? Are key uncertainties being managed? Are there assurances that our capabilities are effective? Is a risk-sensitive culture in place? Execution Tolerance and Policy Is opportunityseeking behavior balanced with risktaking? Are boundaries and limits adequately defined? Experis Tuesday, July 10,

16 Applying the Governance Board of Directors Review risk policy, risk management structure, establish risk appetite and tolerances Understand and oversee overall risk profile and risk management structure Approve risk strategies Oversight /Assessment of risk monitoring Risk Committee (Or existing Management Committee) Approve/oversee risk tolerances, initiatives, strategies Delegate and oversee authority & accountability for specific risk management Coordinate overall risk reporting and monitoring Risk Owners/Process Owners Manage risks in accordance with tolerances and priorities Assist Risk Committee with risk reporting Primary responsibility for identifying, managing and monitoring risks within their delegated authority Experis Tuesday, July 10, Polling Question #3 Responsibility for Monitoring and the performance of the company against the respective risk tolerances belongs to: A. The Board of Directors B. Senior Management C. Process Owners D. Risk Owners E. All of the above Experis Tuesday, July 10,

17 Questions Eric Gerner, Director of Risk Advisory Services Ei i (703) Experis Tuesday, July 10, About Experis Finance Experis Finance delivers innovative project solutions and professional resourcing services in the areas of risk advisory, tax and finance & accounting Visit experis.us/finance to download the latest white papers and compliance updates Experis Tuesday, July 10,