1. Enterprise Risk Management
‐ Building the Business Case
Building the Business Case
‐ Practical Implementation Tips
Thomas Mulhare
Thomas Mulhare
Partner in Charge,
Financial Services and Business Risk Advisory Services
Jerry Ravi
Senior Manager,
Business Risk Advisory Services
February 2, 2010
3. SHAREHOLDER VALUE DECLINES
SHAREHOLDER VALUE DECLINES
Common means by which Shareholder Value is Destroyed:
Common means by which Shareholder Value is Destroyed:
Strategic and Business Operational Financial Compliance
5%
15%
20% 60%
3
4. What CFO's Think
What CFO's Think
52% • have formalized risk management
program
42% • do historic comparisons to avoid risk
32% • set specific risk thresholds
29% • create risk adjusted forecasts and
plans
Source: The Global CFO Study 2008 4
5. Why ERM is Important
Wh ERM i I t t
ERM supports value creation by enabling
Underlying principles management to:
Every entity exists to realize value for its Deal effectively with potential future
stakeholders. events that create uncertainty.
Value is created, preserved, or
Respond in a manner that
Respond in a manner that
eroded by management
reduces the likelihood of
decisions in all activities, from
downside outcomes and
setting strategy to operating the
increases the upside.
enterprise day‐to‐day.
5
6. ERM Principles
ERM Principles
Skilled project leaders who can
think “outside the box”
Talented
Talented
People
Sharing &
Sharing &
Effective
Knowledge
Process
Transfer
Willingness to cross Effective process to identify and
boundaries posed by manage risks
information silos 6
7. ERM – What went wrong?
ERM What went wrong?
• Risks ere not f ll nderstood
Risks were not fully understood
• Management overrides
• Compensation focused on short term
• Not enough Board involvement
• Inadequate communication
Inadequate communication
7
8. Other Risk Drivers for ERM Implementation
Other Risk Drivers for ERM Implementation
60% of senior executives “lack high confidence” that their
60% f i ti “l k hi h fid ” th t th i
company’s risk management practices identify and manage all
FEI Study
potentially significant risks
Requires audit committee charter to include reference to the
NYSE committee’s responsibility to “discuss risk assessment and risk
management”
“It is the board’s responsibility to ensure that management has
instituted processes to identify major risks and has developed
NACD
plans to deal with such risks. BOARDS WILL BE HELD
ACCOUNTABLE
8
9. ERM Challenge – More Than Audit Committee
ERM Challenge More Than Audit Committee
• Defining & Managing Expectations
– Board – Who on Board is responsible for all Risk
– Audit Committee – Monitoring
– Executive Management – Key Sponsor of ERM
Executive Management Key Sponsor of ERM
• Coordinating with Other Risk Monitoring & Assurance Groups:
– Compliance
– Legal l
– Safety/OSHA
– Loss Prevention
– External Audit
• Risk Committee?
9
10. ERM: Breaking Down Silos
ERM: Breaking Down Silos
Financial Information
Underwriting Reporting Technology Reinsurance Claims Regulatory
New Products / Lines of Business
Human Resources
Policies & Procedures
10
11. What benefits come from ERM?
What benefits come from ERM?
Better
Better Make more
Make more
Better
information informed
communication
about risks decisions
Strengthen
Increased Reduce earning
governance
accountability volatility
practices
ti
More
Help to meet
Help to meet
comprehensive
strategic goals
Stress Test
11
12. Managing Risk = Better Performance
i ik f
Align corporate goals with:
g p g Understanding the sources of risk and their relevant
performance metrics help manage:
Strategies
People
Objectives
Processes
Risks
Information
Performance metrics
Assets or technology
12
13. A Practical ERM Approach
A Practical ERM Approach
• The ERM Continuum
• Key Implementation Factors
– Setting Expectations
– Indentifying your first steps
– Build the “ERM Engine” – Creating the Process
Build the “ERM Engine” Creating the Process
– Risk Identification, Assessment and Analysis
– Monitoring and Reporting
Monitoring and Reporting
• Success Factors
• EXAMPLES: RISK ASSESSMENT & TOOLS
EXAMPLES: RISK ASSESSMENT & TOOLS
13
14. Evolution of ERM Methodology
Evolution of ERM Methodology
ERM is not a “One Size Fits All”
ERM is not a One Size Fits All
approach. The key is
to remember this
t b thi
is a PROCESS!
Strategic View
”A Strategic Tool”
Integrated Risk
Integrated Risk
“Managing
Risks Better”
Compliance
14
15. Setting Expectations
S i E i
• Executive endorsement
• Direct reporting is critical
• Leverage existing risk functions
Leverage existing risk functions
• Develop a risk mindset, starting at the Top
• Difference between Compliance (SOX) and ERM
15
16. Identifying your First Steps
Identifying your First Steps
• Determine what’s right for your company
Determine what s right for your company
• Determine your risk philosophy
– Survey risk culture via a Risk Health Check
Survey risk culture via a “Risk Health Check”
– Consider organizational integrity and ethical values
• Decide on roles and responsibilities
p
– Identify sponsors and owners (i.e., Board, Management,
Risk Officers, Internal Auditor)
• Assess where your are on the ERM Continuum
• Create a process
16
17. Example: Risk Health Check (Culture & Alignment)
E l Ri k H lth Ch k (C lt & Ali t)
• To what extent is the “culture” supportive of advancing an enterprise view
of risk management?
of risk management?
• How has the significance of risk governance been communicated (i.e.,
regular communications and documentation)?
• How comfortable are our people in discussing risk? Are they afraid to raise
f bl l d k h f d
difficult issues? How quickly do they raise issues?
• Is risk management built into decisions about capital allocation,
acquisition, succession planning, and other strategic initiatives?
acquisition succession planning and other strategic initiatives?
• Would you describe the organization’s approach to risk management as:
– Reactive to risks that occur
– P
Proactive about risk possibilities
i b ik ibili i
• How might our compensation programs encourage inappropriate short‐
term risk taking? How can we change these programs to encourage risk‐
taking instead? What mechanisms exist to recover compensation when
taking instead? What mechanisms exist to recover compensation when
excessive risk‐taking occurs?
17
18. Building the "ERM" Engine – Creating the Process
Building the "ERM" Engine Creating the Process
Identify objectives
Build Consensus
Build Consensus Identify ERM Task
Identify ERM Task
(strategic, financial,
around the process Force
operational, etc.)
Define the Review and
Identify / discuss
corporate risk
corporate risk leverage existing
leverage existing
scope of process
appetite documentation
Kickoff initial Continuously
planning Monitor the
workshops with
workshops with Process Ask
Process – “Ask
process owners Questions”
18
19. Kickoff the Process
Kickoff the Process
• Identify preliminary risk language and categories
yp y g g g
• Develop risk inventory questionnaires
• Develop materials and hold education / risk
Develop materials and hold education / risk
awareness session(s)
• Initiate/schedule interviews
Initiate/schedule interviews
• Identify questionnaire recipients at the business
units
19
20. Mid‐Market Pharmaceutical Company
Sample Risk Management Categories
Contract Bio Technology Pharmaceutical Corporate
Management
Competition Dependency on CRO / Contract Competition (Pipeline, Generics, Debt Obligation
Manufacturing for Products New, Existing)
Viability ROI / Optimization of Resources
/ Optimization of Resources Planning Liquidity
Customer Needs (Long‐Term Product Approvals Pricing Capital Requirements / Financing
focus)
Profitability
y Vendors / Suppliers (licensing
/ pp ( g Shareholder Value
Agreements)
Dependency of 3rd Party Royalty Commitments / Contingencies
Contracts
Expansion of existing Products (IP
p g (
Protection)
Incident Reporting
Product Recalls
Regulation
R l ti
IT Systems
Personnel / HR
Business Development
Vendor Management / Customer Management
Quality Procedures / SOPs
21. Risk Identification
Risk Identification
• In general, there are three kinds of risks your
g y
institution faces:
• Risk you know of and are working on to resolve
(Low Concern)
(Low Concern)
• Risk you know of and are not yet working on to
resolve (Medium Concern)
eso e ( ed u o ce )
• Risks you are not yet aware of but will find out
via complaints, litigation, examiners and/or
media attention (High Concern)
di tt ti (Hi h C )
• Map risks to agreed upon categories
21
22. Risk Identification Tools
Risk Identification Tools
• Assessments
– External: works best for small to mid‐sized companies
– Continuous Internal Assessment: Via Full Time Risk
Management Department
– Internal Assessments: Via Compliance, Audit, or Risk Owners
– Self Assessment Surveys: people involved in processes know
them the best
• L
Leverage Existing Risk Related Assessments (i.e., Internal
E i ti Ri k R l t d A t (i I t l
Audits, SAS70s, Compliance Reviews, Regulatory Reports)
• Conduct risk assessment interviews or brainstorming
Conduct risk assessment interviews or brainstorming
workshops with key members of management
22
23. Risk Assessment
• Compile all results of the risk identification process
• Quantification of risk exposure
• Options available:
‐ Accept = monitor
‐ Avoid = eliminate (get out of situation)
‐ Reduce = institute controls
‐ Share = partner with someone (e.g. insurance)
• Link Risk Assessment to the Strategic Objectives
(Example attached)
23
24. Impact vs. Probability
Impact vs Probability
Sample: Financial Institution
p
Medium Risk High Risk
High Credit Risk Regulatory Violations and
g
The Loaning Process Fines
System Outages
I
M Share Mitigate & Control
P
Low Risk Medium Risk
A
C Asset Management Customer Complaints
p
Turnover Fee Receivables
T Trade Errors
Accept Control
Low PROBABILITY High 24
25. Risk Analysis
Ri k A l i
• Assess and prioritize risks
Assess and prioritize risks
• Assess the maturity of risk management
strategies for the top risks
strategies for the top risks
• Deploy mitigation strategy
• Develop action plan
25
26. Monitoring and Reporting
Monitoring and Reporting
• Establish accountability for risks
y
• Summarize a risk assessment report
• Create risk dashboards for high level board reporting
Create risk dashboards for high‐level board reporting
– Leverage technology tools (screen shots attached)
• Develop a continuous monitoring program
l
– Ensure updates are reflected (i.e., changes in systems or
processes)
)
26
27. Success Factors
Success Factors
• Be brutally honest with your self assessment
y y
• Select the right people and approach
• g
Encourage constructive feedback
• Make it clear who owns the process
• Risk management is everybody s job
Risk management is everybody’s job
• Learn from losses
• View it as a Process not a Project
View it as a “Process”, not a “Project”
27
28. Context of the Risk Assessment
Context of the Risk Assessment
Objectives provide the context for
the risk assessment …
the risk assessment … E l Obj ti
Example Objectives
Strategic Objectives
Increase market share by 10% over the
Strategy y
next 3 years.
Supporting Objectives
Business Unit Deploy new line of business in San
(Region, Francisco by May 2010.
Location))
Functional Objectives
Functional
Improve availability and continuity of IT
(IT,
Accounting) core applications by June 2010.
Risk Management Objectives
Risk Specific Maintain profitability (Pricing, loss
(Profitability)
(Profitabilit ) experience, etc…)
experience etc )
28
29. Example: Risk Model
Example: Risk Model
Which areas of risk might be identified, analyzed, and prioritized in
an ERM program?
p g
Environmental Risks
• Capital Availability
• Liquidity
• Regulatory, Political, and Legal
• Financial Markets and Shareholder Relations
Process Risks
P Ri k
• Operations Risk
• Empowerment Risk
• Information Processing / Technology Risk
• Integrity Risk
• Financial Risk
Information for Decision Making
• Operational Risk
• Financial Risk
29
• Strategic Risk
30. EXAMPLE: Credit Administration/Loan Review
Potential Significant Risks and Overall Risk Rating: High
♦ Ability to achieve the business plan for targeted markets/customers/products
Strategic Risk High ♦ Standardization of credit administration guidelines
Reputation Risk High ♦ Consumer and commercial loan approval and underwriting process is highly visible to the customer
Compliance Risk Low ♦ Risk of lawsuits, fines and penalties related to non‐compliance with lending laws and regulations
♦ Credit risk is inherently high especially during the current downturn in the market
♦ The number of large loans ($5‐15 million) has increased significantly during the past year
♦ Nine independent bank credit cultures
Credit Risk
Credit Risk High ♦ Risk in wire transfer and ACH continues to increase
Ri k i i t f d ACH ti t i
♦ Lack of consolidated credit information for banks and non‐bank affiliates
♦ Consumer credit judgment may be inconsistent
♦ Financial risk is inherently high in a loan origination process ‐ loans are interest rate sensitive
♦ The Federal Reserve has been decreasing interest rates over the past year
♦ g y p
ACME is in a highly competitive market
Financial Risk
Fi i l Ri k High
Hi h ♦ Future Basel Accord implications
♦ ACME does not have a standard ALLL methodology that all banks follow
♦ Inconsistent application of non‐accrual and charge‐off policies
♦ No formal training for loan officers on regulation changes
♦ No standard guidelines for credit policies and procedures for loan origination and approval process
♦ Some banks have specialty loan areas that perform loan operations functions
Some banks have specialty loan areas that perform loan operations functions
♦ Missing quality assessment review at loan origination for compliance with ACME credit documentation and
Operational Risk High approval policy
♦ Administration of participated loans is managed by the lead affiliate bank and not centrally managed. The
experience levels of credit officers vary within the affiliates
♦ No standardization and centralized approval of law firms used for loan closings
♦ IT system not fully utilized or may lack data integrity due to lack of standard credit administration policies
♦ IT system is the common platform for loan processing
Technology Risk ♦ IT system does not interface with non‐bank subsidiary systems making it difficult to compile consolidated loan
Moderate information
♦ Lack of a front end system to process consumer applications that enforces ACME’s credit policies
Human Resources ♦ In the event additional employees are needed or turnover occurs, ACME may have difficulty identifying an
I th t dditi l l d d t ACME h diffi lt id tif i
Moderate employee internally or recruiting a candidate in a highly competitive job market
Risk
Financial Impact High ♦ Combined loan portfolio is approximately $3.6 billion
Risk Direction ♦ Credit risk increasing as a result of current market conditions 30
Increasing
Indicator
34. Thomas M. Mulhare Jerry R. Ravi
y
Amper, Politziner & Mattia, LLP Amper, Politziner & Mattia, LLP
Tel: (732) 287‐1000 x 1281 Tel: (732) 287‐1000 x 1294
Cell: (908) 930‐1435
C ll (908) 930 1435 Cell: (732) 770‐3519
C ll (732) 770 3519
E‐mail: mulhare@amper.com E‐mail: ravi@amper.com
The material contained in this presentation is for general information and should not be acted upon
without prior professional consultation.
34