Learn what is changing in the ERM Framework, how it may impact the Board and your Strategy Selection, and guide to aligning Risk with Strategy & Performance. COSO is revamping its ERM framework after over a decade! What are the BIG changes coming? Learn what it holds for you, leverage it to streamline your risk management in the current business environment. Presenters: Amit Dewan CPA, CISA, CRMA, CA, Director of Client Services at Aviva Spectrum & Ali Alizada Senior Associate at Aviva Spectrum
2. 2Compliance Made Simple ™
Introductions
• Ali Alizada, ISA
Sr Associate at Aviva Spectrum
Specialize in Control Compliance Assessment
Certified Blackline Implementation Partner
• Amit Dewan, CPA, CISA, CRMA, CA
Director of Client Services at Aviva Spectrum.
Specialize in Compliance Assessment, ERP implementations
4. 4Compliance Made Simple ™
Polling question
How many of us have in place the
existing ERM integrated framework?
5. 5Compliance Made Simple ™
Today’s Agenda
• What is Changing in the ERM Framework
• How it may impact the Board & your Strategy Selection
• Guide to aligning Risk with Strategy & Performance
7. 7Compliance Made Simple ™
ERM DRAFT – 2016!
• Executive Summary (14 pages)
• Public Exposure (132 pages)
8. 8Compliance Made Simple ™
ERM DRAFT – 2016!
• Application Techniques which provided illustrations of techniques
used at various levels of an organization in applying enterprise risk
management components will not be updated as part of this
project.
9. 9Compliance Made Simple ™
Why New ERM?
• The idea behind ERM is to enhance an organizations ability to manage
“uncertainty” and to consider “how much” risk to accept in pursuit of
increasing shareholder value.
• Since 2004 (when the original framework was established) the business
environment and its risk complexities have changed with emergence of
new risks.
• In this new environment Boards need to continue managing risk but
with old framework (that was designed in 2004)…..hmmm don’t think
so…. So coming to the rescue is the new framework.
10. 10Compliance Made Simple ™
Why new ERM? (cont.)
The Name says it all:
Enterprise Risk Management- Aligning Risk with Strategy
and Performance
This new framework is expected to provide greater insight into strategy and
the role of ERM in:
– Setting and execution of strategy
– Enhanced alignment between organizations performance and ERM
– Accommodate expectations for governance oversight
12. 12Compliance Made Simple ™
The Integrated framework (2004)
Its philosophy was to help entities better protect and enhance stakeholder
value:
“Value is maximized when management sets strategy and objectives to strike an
optimal balance between growth and return goals and related risks, and
efficiently and effectively deploys resources in pursuit of the entity’s objectives.”
Therefore, the updated Framework in the current publication:
- Connects multitude of risks mgmt. with stakeholder expectations
- Position risk in terms of performance vs being just an isolated exercise of
with list of risks.
- Enable to be more anticipatory. Look at valuable opportunities created by
change.
13. 13Compliance Made Simple ™
New Definition
ERM is defined as “the culture, capabilities, and practices,
integrated with strategy-setting and its execution, that
organizations rely on to manage risk in creating, preserving,
and realizing value.”
The definition brings focus on managing risk through:
– Recognizing culture and capabilities
– Applying practices
– Integrating with strategy- setting and its execution
– Managing risk to strategy and business objectives
– Linking to creating, preserving, and realizing value.
14. 14Compliance Made Simple ™
Key CHANGES Expected
Adopts a components and principles structure
Simplifies the definition of enterprise risk
management
Emphasizes the relationship between risk and
value
Renews the focus on the integration of
enterprise risk management
Examines the role of culture
Elevates discussion of strategy
15. 15Compliance Made Simple ™
Key CHANGES Expected (contd.)
Elevates discussion of strategy
Enhances the alignment between performance
and enterprise risk management
Links enterprise risk management into
decision-making more explicitly
Delineates between enterprise risk
management and internal controls
Refines risk appetite and acceptable variation
in performance (risk tolerance)
16. 16Compliance Made Simple ™
Impact on Board & Strategy Selection
BOD has a responsibility of risk oversight, and its mix of
skills, experience, business knowledge need to be
appropriate.
Closely link strategy and objectives to both risk and
opportunity.
It helps the Board gain better understanding of how risk
may impact the choice of strategy. Provides sense of
selected strategies strength’s and weaknesses as
conditions change.
More confident that they have looked at alternatives.
17. 17Compliance Made Simple ™
Impact on Board & Strategy Selection
(contd.)
Strategic Value benefits of integrating ERM (to name a few)
Increasing the range of opportunities
Identifying and managing risk entity-wide
Reducing negative surprises and increasing gains
Reducing performance variability
Improving resource deployment
19. 19Compliance Made Simple ™
Aligning Risk with Strategy & Performance
The framework itself is a set of principles:
Risk Governance and Culture: sets the organization’s tone; establishing oversight
responsibilities; ethical values; desired behaviors.
Risk, Strategy, and Objective-Setting: strategic-planning process; risk appetite.
Risk in Execution: achievement of strategy and business objectives; prioritized by
severity; risk responses.
Risk Information, Communication, and Reporting: continual process of obtaining
and sharing necessary information which flows up, down, and across the organization.
Monitoring ERM Performance: consider how well ERM components are functioning
over time and in light of substantial changes.
22. 22Compliance Made Simple ™
Join the Community
Free CPE – Webinars (LIVE)
Free templates
Decoding the Updated ERM- Webinar (Q1/Q2 2017)
23. 23Compliance Made Simple ™
Compliance Diagnostic
Email us for 3 SPOTS ONLY:
Info@avivaspectrum.com
SUBJECT: ERM CCA Diagnostic
ReportAnalysisIn-take
ALI-
So glad to see you all join in today. I can see we have well over 85 participants and that is an impressive group of professionals all excited for our topic of discussion today.
So here are a few highlights about the new ERM framework that COSO has been working on:
PwC has taken the lead in updating the ERM framework with oversight from an Advisory Committee and the full board will finalize/approve the updated ERM framework.
Comments period ended just couple month ago on September 30, 2016 and the framework is expected to be released sometime in 2017.
2004 ERM will exist however they reserve the right to supersede it and given past experience with COSO 2013, we expect ~2 years after the final ERM is published they will supersede the 2004. The estimated target adoption year is now looking like, 2019! Note- it won’t be mandatory just like the 2004.
The 2013 Internal Controls- integrated framework will continue to exist and is supposed to compliment the new ERM.
ALI- lets take a quick poll
Ok- I see the results here- looks like ____% have experience with the existing ERM and some of us are new to this.
ALI- Introduce the agenda
Ok, so let’s briefly go over today’s Agenda. First of all, we are going to talk about…Secondly, we will discuss…And lastly, we will go over the…
So Amit how do you look at this Change.
Amit
I in fact seem to find that I end up deploying ERM model to managing my biggest entrepreneurship venture with my wife- that is my kid. We think of the mission we have set for ourselves as it relates to our kid, how we need to evolve with the change environment and the change in his life with every day growth, school, kids classes, games, reading, and of course choice of TV programs. Decisions that get influenced- buying a home, car (large family, large car!) – college fund etc.
ALI- that was an interesting tie up to the ERM- I think I can safely say that its only us risk mgmt. professionals who are so enthusiastic about risk mgmt. that we identify its deployment in managing our kids.
Now we all know the original framework the “integrated framework” came in 2004 and it seems to have been widely accepted and implemented. So Amit what has prompted the creation of this “UPDATED” framework. And what does it include.
AMIT
Here is a quick backdrop first:
FAQ Audience = Partners Manager/Senior Auditors (CPA structure)
Industry structure = CAE, Managers, Staff auditors
Executive summary = Audit committee/Board of Directors package in year-end package for those of you 12/31/ year-end
Public Exposure = wait till it’s final! Then read it!!!
Survey period just ended
AMIT
Applications techniques will not change. The will have an additional appendix format of examples.
AMIT-
Ali to answer your question about “why change or rather “UPDATE” the existing framework. Now this is a problem that super heroes – Team Avengers- gave up on- and so the might COSO stepped in again and put together a new framework
AMIT- continue
AMIT
Of course it is not a CUBE [ by the way the existing COSO Cube will continue to exist.]
This graphic depicts that all an entity work towards is determined by its Mission, Vision, and core values.
Now to achieve there- you strategize and set business objective. And that where ERM come most heavily in play with ultimate outcome being “Enhanced Performance” in every possible scenario. In fact I want to draw your attention to the “Every Possible Scenario” I just stated, because the essence of the new framework is to set up expectations of various acceptable performance level and tolerable risk for each of those performance levels VS you just set a strategy and then think of risks related to that strategy. So it is not about just a list of risks but wider than that.
Amit to open the slide – read ole definition and then add
With over the years of application came realization that certain aspects of the existing framework would benefit from more depth and clarity, as well as greater insight into the links between strategy, risk, and performance.
ALI
So Amit what you are saying is that:
Enterprise risk management is more than a risk listing. Managing risk across an organization requires more than listing the “top 10” risks or making an inventory of all risks within the organization. Enterprise risk management is broader and includes practices that management puts in place to actively manage risk to appropriate levels.
Enterprise risk management addresses more than internal control. Internal control is an integral subset of enterprise risk management. But enterprise risk management also addresses other topics such as setting strategy, governance, communicating with stakeholders, and measuring performance. Its principles apply at all levels of the organization and across all functions.
AMIT
Enterprise risk management is not a checklist. It is a set of principles on which processes can be built for a particular organization, and it is a system of monitoring, learning, and improving performance.
Enterprise risk management can be used by organizations of any size. If an organization has a mission, a strategy, and objectives—and the need to make decisions under uncertainty—then enterprise risk management can be applied. Enterprise risk management can and should be applied by all kinds of organizations, from small shops to community-based social enterprises to government agencies to Fortune 500 companies.
ALI
So Amit what are the key changes that are expected?
AMIT
So lets start with the definition
Amit to elaborate on each change
OPEN- ALI-
That brings us to the second item on our agenda: How the new ERM impacts the Board and Strategy Selection.
We understand that the Risk Landscape is changing. And every choice we make in the pursuit of objectives has its risk from day to day operational decisions to the Board room discussion dealing with uncertainty as part of decision making.
ALI- Amit can you share how this new rather “Updated” framework impacts the Board and ties to Strategy Selection?
AMIT- Ali given the complexity of uncertain environments our decisions are hardly a simple “yes/no” or a right or wrong answer. So ERM has some creativity to it just like art and objectivity of science as well.
And when uncertainty is considered in the formulation of an organization’s strategy and business objectives, enterprise risk management helps to optimize outcomes.
Stakeholders are more engaged today, seeking greater transparency and accountability for managing risk. For example- Even success can bring with it risk—the risk of not being able to fulfill unexpectedly high demand or the ability to maintain business momentum that has become an expectation.
So it is about being adaptive to change.
Boards mix of skills and experience needs to be appropriate to assess risk In light of strategy and objectives. Need to satisfy a culture of risk aware decision making is embedded throughout the entity.
AMIT- End- So Once strategy is set, ERM provides an effective way for a board to fulfill its risk oversight role by knowing that the organization is attuned to risks that can impact strategy and is managing them well.
AMIT
All organizations need to set and periodically adjust strategy with an awareness of both ever-changing opportunities for creating value and—at the same time—the challenges they will face in pursuit of that value. They need the best possible framework for optimizing strategy and performance.
Increasing the range of opportunities: By considering all possibilities—both positive and negative aspects of risk—management can identify new opportunities and unique challenges associated with current opportunities.
Identifying and managing risk entity-wide: Sometimes a risk can originate in one part of the entity but impact a different part. Consequently, management identifies and manages these entity-wide risks to sustain and improve performance.
Reducing negative surprises and increasing gains: It allows entities to improve their ability to identify risks and establish appropriate responses, reducing surprises and related costs or losses, while profiting from advantageous developments.
Reducing performance variability: For some, the challenge is less with surprises and losses and more with variability in performance. In addition, performing ahead of schedule or beyond expectations may cause as much concern as performing short of scheduling and expectations. ERM allows entities to anticipate the risks that would impact performance and enable them to put in place the actions needed to minimize disruption.
Improving resource deployment: Obtaining robust information on risk allows management to assess overall resource needs and enhance resource allocation.
These benefits highlight the fact that risk should not be viewed solely as a potential constraint or challenge to executing a strategy. Rather, the change that underlies risk and the organizational responses to risk also give rise to strategic opportunities and key differentiating capabilities. As such, the role of risk in selecting and evaluating a strategy requires deeper consideration.
ALI- Amit so how does RISK play a role in this strategy selection?
AMIT
Strategy is about making choice and accepting trade offs. So you look for the “best approach” And RISK is an integral part of any strategy setting. But Risk has more often then not evaluated as it relates to an existing strategy- i.e. the decision focus on “risk to strategy”.
Now there are 2 additional aspects that impact an Entity’s risk:
the possibility of strategy not aligning with an organization’s mission, vision, and core values. These have been demonstrated to matter—and they matter most when it comes to managing risk and remaining resilient during periods of change. So chosen strategy must support the organization’s mission and vision
And the other is that
We make decisions on the trade-offs inherent in the strategy. Each alternative strategy has its own risk profile. Alternative strategies are built on different assumptions, and those assumptions are sensitive to change in different ways. Change may come in the various forms such as customer behaviors, shifting employee capabilities, competitions response, regulatory, geopolitical developments—or just about any other factor that upends the assumptions behind a strategy. Boards should want to understand these sensitivities—the implications from the strategy—before they approve a strategy. They should also monitor business developments to ascertain whether these assumptions continue to remain valid, and if not, what actions need to be taken, including revisiting strategy.
ALI-
So if I understand you correctly- what we are emphasizing is that the risk is not just the risk to strategy, it is not a “constant”. It changes and so is the need to change or consider change to your strategy or the alternate strategy without losing or compromising on your organizations mission, vision and core values.
Ali
Lets move on to our next area of discussion which is Aligning Risk with Strategy and Performance. – because ERM is embedded throughout an entity and it influences and aligns strategy and performance across departments and functions.
AMIT- Framework is itself a set of principles
Risk Governance and Culture: Risk governance sets the organization’s tone, reinforcing the importance of, and establishing oversight responsibilities for, enterprise risk management. Culture pertains to ethical values, desired behaviors, and understanding of risk in the entity.
Risk, Strategy, and Objective-Setting: Enterprise risk management, strategy, and objective-setting work together in the strategic-planning process. A risk appetite is established and aligned with strategy; business objectives put strategy into practice while serving as a basis for identifying, assessing, and responding to risk.
Risk in Execution: Risks that may impact the achievement of strategy and business objectives need to be identified and assessed. Risks are prioritized by severity in the context of risk appetite. The organization then selects risk responses and takes a portfolio view of the amount of risk it has assumed. The results of this process are reported to key risk stakeholders.
Risk Information, Communication, and Reporting: Enterprise risk management requires a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organization.
Monitoring Enterprise Risk Management Performance: By monitoring risk management performance, an organization can consider how well the enterprise risk management components are functioning over time and in light of substantial changes.
ALI-
Now we are open to questions, please use your chat box to enter any questions for either myself or Amit
While we wait for questions: I wanted to invite you all to join our LinkedIn Group.
Click to next slide.
ALI- Also for the first two respondents we will offer a free 1 hour consultation to perform Control Compliance Assessment (CCA) to help diagnose the health of your compliance environment. But remember this is only for the first 3 request.
Click to next slide:
ALI:
I know a lot of you got a lot of value from this webinar and some of you for sure are starting to thing about “what’s next for me”?
You’re not alone! Amit and I have spent several hours developing this webinar and we decided that we wanted to do more than the average webinar series on ERM. We actually sat down and took apart over the new soon to launch ERM as well as the several pages of Guidance materials, from COSO, ITGI, ISO, COBIT, PCI and ISO standards. And we developed a unique diagnostic to identify the top potential Compliance Vulnerabilities that a company should consider addressing. What we’ve done is created a 1 hour analysis with me & Amit together to identify if your organization has things buttoned up tightly or if you have a few missing things you’ll need to address on your own. So imagine a Priority driven and proven “road map” that will guide you on where to start first and what should be fixed first. It’s complimentary and here’s how it functions:
NDA
Intake scheduled
Benchmark
Custom industry focused “Compliance Vulnerabilities” Recommendation report
ALI-
Amit we have this question:
1- So what should I expect of my board now?
AMIT- Ali- one of the simplest ways to put it to board may be to mention to them that as part of oversight role traditionally the board has been involved in “preventing the destruction of value”, like a supporting role, but now the board is increasingly expected to contribute to “value creation” through oversight and involvement in vetting strategy.
Specifically, boards should consider asking different kinds of questions about risk and resilience to their leadership in order to enhance the dialogue with management to include the more strategic aspects of enterprise risk management.
Talk not only about risk processes but also about risk culture. how does management monitor the company’s risk culture and how has that changed? As things change—and things will change whether or not they’re on the entity’s radar—how can the board be confident of an appropriate and timely response?
ALI- Amit we have another question-
2. How can an entity improve its risk understanding?
AMIT- A simple way to start would be ask questions. Example- leaders (not just the Chief Risk Officer) should ask probing questions. Articulate how risk factors into business decisions? Consider - Can these leaders clearly articulate the entity’s risk appetite and how it might influence a specific decision?