SlideShare a Scribd company logo

Enterprise risk management summary approach guide

Download as PPTX, PDF
A
AstalapulosListestos

The document outlines an enterprise risk management (ERM) implementation approach for an organization. It includes an agenda for ERM training that covers foundational concepts, moving from a risk-by-risk approach to a portfolio view of risk, and an overview of the ERM implementation process. It also provides sample risk appetite statements, diagrams of the ERM framework and integration with strategic planning, and discusses the value of taking an ERM approach.

Economy & Finance
1 of 36
Downloaded 10 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
ERM SUMMARY APPROACH GUIDE ENTERPRISE RISK MANAGEMENT
TABLE OF CONTENTS 03 Enterprise Risk Management Summary Approach Guide: Sample 1 04 Today’s Agenda 05 Welcome and Introductions 09 ERM Foundational Concepts 16 Moving to ERM 21 ERM Implementation Overview 2 28 Enterprise Risk Management Summary Approach Guide: Sample 2 29 ERM Approach 36 Coordination and Oversight
1 SAMPLE
TODAY’S AGENDA 4 • Welcome and Introductions − New enterprise risk management (ERM) infrastructure − Reasons for change • ERM: What’s In It for XYZ and for You? − How do we get there? • ERM Foundational Concepts • Moving to ERM • ERM Implementation Overview • Next Steps and Closing Remarks
WELCOME AND INTRODUCTIONS: NEW ENTERPRISE RISK MANAGEMENT (ERM) INFRASTRUCTURE 5 Board of Directors ERM Oversight Committee ERM Working Group Estimated Dates The VP of ERM reports periodically to the audit committee and routinely to the CEO/CFO. The ERM oversight committee includes all senior-level executives. The ERM working group includes a member from each risk and compliance group as well as multiple business unit owners throughout the organization.
WELCOME AND INTRODUCTIONS: REASONS FOR CHANGE 6 1 Credit rating agencies are beginning to factor the company’s ERM processes into an overall rating. Legislators and the general public are pressuring companies to specifically disclose how both the board and senior executives oversee and monitor the risk management practices of the company. 2 3 Dedicated resources should be focused fully on the development of an ERM process for XYZ. Develop a process where the board and senior executives are routinely updated on the risk profile of the company associated with its strategy and operations. 4 5 Integrate efforts of the risk and compliance groups to eliminate redundancies in work performed (e.g., agency billing audits).
WELCOME AND INTRODUCTIONS: ERM – WHAT’S IN IT FOR XYZ AND YOU? 7 1 2 3 4 5 Fewer surprises occur. Exposure to loss is reduced and rewards are increased. Decision-making is more effective. Corporate governance is improved. Risk and control activities with the highest corporate priorities are aligned.
WELCOME AND INTRODUCTIONS: HOW DO WE GET THERE? 8 01 Ensure that front-line managers and above understand the importance of risk identification, assessment and management and are willing to embrace it. 02 Evolve ERM from a special project to being part of your daily routine (e.g., ask yourself, “what are the risks associated with XYZ?”). 03 Leverage existing tools, reports, etc. to assist with risk assessment and management where possible. Also identify other methods or tools that can facilitate this in a more effective manner across the entire company. 04 We may request meetings with you to understand the portion of the company’s overall risk profile that you help to monitor and manage. 05 GRC software is implemented to support the ERM process, as well as PMO support from Protiviti.
ERM FOUNDATIONAL CONCEPTS: A DEFINITION OF ERM 9 A definition provided by former Federal Reserve Board Governor Susan Bies: A process that enables management to deal effectively with uncertainty and the associated risk and opportunity, enhancing the capacity to build stakeholder value. • Aligning XYZ’s risk appetite and strategies. • Reducing the frequency and severity of operational surprises and losses. • Identifying and managing multiple and cross-enterprise risks. • Enhancing the rigor of XYZ’s risk-response decisions. • Proactively seizing on the opportunities presented to XYZ. ERM includes:
ERM FOUNDATIONAL CONCEPTS: RISK 10 Strategy Risk Appetite Risk Tolerance Objectives Governance Execution • Risk is a threat or barrier preventing the achievement of organizational objectives. • Risk appetite is the amount of risk that XYZ is willing to accept. It sets the boundaries for the broad risk-taking activities of an organization. − This can be quantitative or qualitative. − This may be expressed as an acceptable balance of growth, risk and return, or as risk-adjusted shareholder value-added measures. − Risk appetite guides resource allocation. • Risk tolerance is the acceptable level of variation relative to the achievement of a specific objective. − These are generally quantitative and measured in the same units as the related objective.
ERM FOUNDATIONAL CONCEPTS: ILLUSTRATIVE RISK APPETITE STATEMENT 11 Management will accept a moderate level of risk in pursuing strategies to grow revenue and earnings. Management may choose to pursue product expansion and/or acquisitions that are complementary to the existing business and capabilities and are expected to be accretive to earnings within a maximum of 18 months. Management will accept earnings volatility of up to 50% over within a one-year timeframe, provided that long- term operating margins can be maintained at 5% or higher. Capital and liquidity must be maintained at a level that will not result in a reduction of our current dividend. Management will not accept risks that result in more than an extremely remote threat to its state insurance licenses or Medicare contracts. Management will not accept risks that result in more than a remote chance that our members are not receiving the level of medical care promised. Management will not accept risks that result in a more than remote chance that our agents and providers are not reimbursed properly. The investment portfolio will be maintained with an aggregate rating of at least AA.
ERM FOUNDATIONAL CONCEPTS: ERM AS A PICTURE 12 Risk Appetite Determine your strategic objectives based on your risk appetite. Determine the risk management techniques to meet your established risk tolerances. Understand the inherent risks associated with achieving your business strategy. Accept Share Reduce Avoid Feedback Risk - Moderate to High Risk - High Risk – Moderate to High Risk – Moderate Risk – Very High Risk - High Risk – Low to Moderate Risk – Moderate Risk – Low Insignificant Minor Moderate Major Catastrophic Remote 10% Unlikely 25% Reasonably Possible 50% Probable 75% Almost Certain 90% 7 13 5 10 3 11 15 8 6 4 2 12 1 IMPACT LIKELIHOOD Organizational Culture 15 Price- Interest Rate 11 Consumer Privacy 9 Competitor 1 Reg.- Price Integrity 10 IT- Systems Implement. 3 IT- Infrastructure 6 Customer Satisfaction 5 Taxation 13 Sourcing/Supply Chain 4 Business Model 14 Human Resources 7 Shrink/Loss Prevention 8 Rev. Rec.- Allowances 12 Business Interruption 2 9 8 7 6 4 3 2 5 1 9 8 7 6 4 3 2 5 1 14 9 Risk Tolerances
ERM FOUNDATIONAL CONCEPTS: COMMON FRAMEWORK FOR ERM PROGRAMS 13 Establish the Risk Management Goals, Objectives and Infrastructure Assess the Business Risk • Identify • Source • Measure Formulate the Business Risk Management Strategies Measure/Monitor the Risk Management Process Performance Design/Implement the Risk Management Process Continuously Improve the Business Risk Management Process Information for Decision- Making ERM is a continuous, formalized process of: • Establishing • Assessing • Developing • Implementing • Monitoring • Improving ERM is primarily focused on key risks to the organization, not necessarily all risks.
ERM FOUNDATIONAL CONCEPTS: ERM INTEGRATION WITH STRATEGIC PLANNING 14 Key ERM Components • Identify the risks to achieving objectives. • Source the risks. • Identify, monitor and respond to emerging risks. Key ERM Components • Assess and prioritize risks. • Select strategies within the organization’s risk appetite. Key ERM Components • Set strategic measurements and key risk indicators (KRIs). • Identify the strategic risk owners. Key ERM Components • Enable communication on achievement of strategic objectives. • Monitor, evaluate and update KRIs and risk management action plans. • Update operational plans. Key ERM Components • Allocate risk management resources. • Develop risk mitigation plans. • Develop additional KRIs. Corporate Mission, Vision and Values Assess the External Environment Formulate and Select a Strategy Set Strategic Measurements and Targets
ERM FOUNDATIONAL CONCEPTS: VALUE OF ERM 15 Sustain Competitive Advantage • Incorporate operational risk management best practices. • Identify, assess and manage emerging external risks, including regulatory changes, access to capital and financial market volatility. • Evaluate and manage risks associated with strategic business decisions (product/service offerings, etc.). • Respond effectively to low probability critical/catastrophic risks (e.g., Black Swan). Optimize Costs • Standardize the business process and collaborate efforts to integrate it. • Allocate resources more efficiently. • Eliminate unnecessary controls. Improve Business Performance • Manage KPI shortfalls and tightened margins. • Better understand risks and improve risk management capabilities across business functions and units. • Improve strategic management and business planning processes. • Expand and improve corporate governance, addressing expectations of and requests from the board (including reporting needs).
MOVING TO ERM: FIRST VERSION HAS BASIC FUNCTIONALITY 16
MOVING TO ERM: FAST FORWARD: RISK BECOMES OPPORTUNITY 17
MOVING TO ERM 18 Risk Management Business Risk Management Enterprise Risk Management Focus Financial and hazard risks and internal controls Business risk and internal controls, taking a risk-by-risk approach Business risk and internal controls, taking an entity-level portfolio view of risk Objective Protect enterprise value Protect enterprise value Protect and enhance enterprise value Scope Treasury, insurance and operations are primarily responsible Business managers are accountable Applied across the enterprise, at every level and unit Emphasis Finance and operations Management Setting a strategy Application Selected risk areas, units and processes Selected risk areas, units and processes Enterprisewide to all sources of value “Current-State” Capabilities “Future-State” Vision Physical Assets Financial Assets Physical Assets Financial Assets Employee/ Supplier Assets Customer Assets Physical Assets Financial Assets Customer Assets Organizational Assets Employee/ Supplier Assets
MOVING TO ERM: POINT OF VIEW ON ERM 19 • ERM will never begin if you don’t know what your risks are. • ERM is not something to build in a day. Start somewhere and build incrementally. • The purpose of ERM infrastructure is to drive continuous improvement of ERM capabilities. − The objective is to continuously improve capabilities around managing priority risks as circumstances change. • The tenets of effective ERM implementation: − Leverage what you have. − Integrate with what you do. − Keep it simple.
MOVING TO ERM: COMMON ERM OBSTACLES AND PITFALLS TO AVOID 20 02 An inability to demonstrate value to operational personnel and risk owners. 01 Failure to get “buy-in” and support from executive management (CEO). 03 Enterprise list management. 05 An inability to capture, summarize and manage information. 04 A lack of dedicated resources with the appropriate background. 07 Risk responsibility that is not linked to rewards. 06 Ineffective or inefficient risk identification techniques. 08 General counsel concerns exist over risk documentation. 10 Failure to link risks to strategy. 09 ERM that is not integrated with other activities and functions within the organization.
ERM IMPLEMENTATION OVERVIEW: STEP 1 21 ERM Infrastructure Key Elements • Develop an ERM governance structure (e.g., charter, philosophy, risk appetite). • Define a process/organizational classification scheme. • Adopt a standardized risk model. • Define roles and responsibilities. • Conduct ERM awareness training. • Understand existing risk management processes and/or areas of overlap. • Gather information on company strategy and value drivers. • Implement GRC software. Key Outputs for XYZ • ERM vision and responsibilities. • Process/organizational classification scheme. • Risk model (common language) and risk definitions.
ERM IMPLEMENTATION OVERVIEW: STEP 2 22 Risk Assessment and Prioritization Key Elements • Incorporate information from internal audit’s risk assessment, along with input from other executives on existing and/or emerging risk areas for XYZ. • Define risk ranking criteria (likelihood of occurrence and impact/significance to XYZ). • Link strategic objectives/initiatives to risks. • Prioritize key risks. Key Outputs for XYZ • Preliminary prioritization of identified risks. • Risk map.
ERM IMPLEMENTATION OVERVIEW: SAMPLE RISK MAP 23 Key risks on the XYZ risk model will eventually be mapped based on the significance and likelihood of each risk. The risk profile associated with each quadrant of the Significance/Likelihood map is noted below. • Black Swan • Likelihood is lower but could have a significant adverse effect on the company’s ability to achieve its objectives if risk is realized. • Monitoring is limited and detective controls are needed. • Critical risks potentially threaten the achievement of companywide objectives. • High-monitoring activity and preventive controls are essential in mitigating these risks. • The overall business impact is not deemed as significant. • Significant monitoring is not necessary unless change occurs in risk classification. • Less significance exists but is more likely to occur. • Cost/benefit trade-off is considered. • Some monitoring and effective detective controls are needed. • Risks are often re-assessed to evaluate changing conditions (move to high significance). Secondary Risks Secondary Risks Key Risks Low Priority Risks Risk Appetite Likelihood Impact/Significance 1 3 5 3 5 2 4 2 4 High High Low High Low
ERM IMPLEMENTATION OVERVIEW: QUANTIFYING RISK 24 The quality of data input determines the quality of data coming out of the model. This is often the most challenging aspect of quantifying risk. 1 These should align with the firm’s goals and objectives as well as current marketplace/industry realities. 1 Create outputs that are relevant to the overall firm and business units. Link outputs to performance measures/KPIs. 1 Inputs Models and Assumptions Outputs
ERM IMPLEMENTATION OVERVIEW: RISK MEASUREMENT VALUE 25 Allows for return to be evaluated on a risk-adjusted basis. Provides a method to produce comparable results across businesses with different risk profiles. Provides a method to rank opportunities based on the opportunity risk profile. Serves as feedback to the effect of changes in portfolio composition and risk policies (e.g., increasing % of hospice).
ERM IMPLEMENTATION OVERVIEW: STEP 3 26 Risk Response/Management Key Elements • Understand key controls/risk management activities that currently exist to address key risks, as well as gaps. • Define key risk indicators (KRIs) and risk tolerance levels. • Develop risk reports/dashboards and present information to executive management and the board. Key Outputs for XYZ • Key risk indicators for key risks. • Risk reports/dashboards.
ERM IMPLEMENTATION OVERVIEW: WHAT DO WE DO WITH RISK? 27 Eliminate risk by preventing exposure to future possible events from occurring. Avoid Maintain the risk at its current level. Accept Implement policies and procedures to lower the risk to an acceptable level. Reduce Shift the risk to a financially capable, independent counterparty. Share • Divest • Prohibit • Stop • Screen • Eliminate • Target • Retain • Reprice • Self-Insure • Offset • Disperse • Control • Respond • Diminish • Isolate • Test • Improve • Relocate • Redesign • Diversify • Insure • Reinsure • Hedge • Transfer • Outsource • Securitize • Indemnify
2 SAMPLE
ERM APPROACH 29 Identifying, understanding and evaluating an organization’s most significant risk areas will set the foundation for a robust ERM program. The diagram below outlines an effective and proven approach to building ERM capabilities that will ultimately: • Enhance corporate governance. • Align and integrate varying views of risk and risk management. • Respond to the changing business environment. Planning Facilitating Risk Discussion Risk Analysis External Verification Management Review Gap Assessment Coordination and Oversight The following pages detail each component of this ERM approach.
PLANNING 30 • Meet with ABC’s ERM project sponsor to confirm the scope and risk management objectives (including guidelines for defining “catastrophic” risks). • Leverage ABC corporate audit’s risk model and confirm that it includes the necessary environment, process and information for decision-making risk categories. Adjust the model as necessary. • Identify a cross-section of leaders within each business/region/function to participate in a facilitated risk discussion (workshop). If necessary, there may be multiple workshops within each business, region and function. • Conduct interviews with workshop participants to better understand key risk areas within each business/region/function and to verify that the necessary risk categories are included in the risk model. Complete these interviews prior to conducting the facilitated risk workshops. • Distribute the risk model to attendees prior to conducting each workshop to set the foundation for a common risk language. • ABC-specific risk model (inclusive of key risk categories) Activities Output/Deliverables
FACILITATING RISK DISCUSSION 31 • Conduct facilitated risk discussions to evaluate the inherent significance and likelihood of identified risks. Using real-time, anonymous voting technology, identify ABC’s top nontraditional, catastrophic risk categories. − Facilitated workshops provide an effective and efficient approach to holistically evaluating an organizational risk. Participants can discuss and verify issues and facts and reach meaningful conclusions that ultimately enhance risk management capabilities. • Gather initial input on the top risk categories to begin the process to identify specific events and/or scenarios that cause each category to have an elevated priority. • A prioritized list of risk categories within each business/region/function • Information on risk-specific events and/or scenarios that could significantly impact ABC Activities Output/Deliverables
RISK ANALYSIS 32 • Explore the specific events within each top risk category that could have a significant or catastrophic impact on ABC. Evaluate these events in the context of broad organizational impact to identify the discrete risk points within each risk area (i.e., catalog the Level 2 and Level 3 risks). − Example: If “Illegal Acts” is identified as a top risk category, outline and document the specific illegal acts that would cause the most damage to ABC. It may be necessary to approach these risks using a worst-case scenario. • Identify an expert panel of ABC management relevant to each of the top five to six risk categories and facilitate discussions to identify potential risk events/scenarios within each top risk category. Confirm that the agreed-upon events are ABC-specific and adequately describe how each would contribute to a potentially catastrophic outcome. • Consolidate and prioritize the top events in each of the priority risk categories from each of the expert panel workshops. • Documentation of ABC’s prioritized catastrophic risks supported by specific events and supporting explanations Activities Output/Deliverables
EXTERNAL VERIFICATION 33 • Identify external resources with expert perspectives on industry and risk management topics. • Distribute ABC’s consolidated risk universe and solicit feedback. • Discuss external feedback with business/region/function leaders and adjust the risk universe as necessary. • An updated universe of ABC’s most critical risks that incorporates feedback from external experts Activities Output/Deliverables
MANAGEMENT REVIEW 34 • Discuss the prioritized list of critical risks with members of ABC’s executive leadership team. Solicit feedback and update the risk list as necessary. • Develop summary materials to communicate ERM activities and results to the board. • A finalized list of ABC’s top risk areas • A board-level reporting summary Activities Output/Deliverables
GAP ASSESSMENT 35 • Through a discussion and documentation review, evaluate ABC’s current capabilities to manage the identified risk categories and potential risk events/scenarios. • Identify risks that may not be adequately controlled and perform a gap analysis. • Communicate gaps and confirm them with business/region/function leaders. • A summary of risk management activities to address ABC’s top risk areas, including process gaps and associated recommendations Activities Output/Deliverables
COORDINATION AND OVERSIGHT 36 • Communication between management and each business/region/function is of paramount importance to successfully complete this ERM initiative. In coordination with management, the risk management project team will have responsibility for overseeing all engagement activities. • Senior members of the risk management project team will coordinate ERM activities throughout the entirety of this project. • The risk management project team will facilitate risk workshops, summarize workshop results, identify and introduce external experts, and present the results to management. • As necessary, the risk management project team will be available to assist with preparing and/or presenting relevant materials to the board.

More Related Content

PPTX
Enterprise Risk Management
GAURAV SHARMA
 
PPTX
Enterprise risk management
SiteshUpadhyay
 
PPTX
Bcp task 8
Norah Al Aslmey
 
PPT
Operational Risk Management & Strategic Planning
Eneni Oduwole
 
PDF
Integrating The Output From Risk Workshops Into The Business Planning Process
Eneni Oduwole
 
PPT
Coso Erm(2)
deeptica
 
PDF
Enterprise Risk Management - Aligning Risk with Strategy and Performance
Resolver Inc.
 
PPTX
Enterprise risk management-Yashvanth G Nayak
Yashavanth Nayak
 
Enterprise Risk Management
GAURAV SHARMA
 
Enterprise risk management
SiteshUpadhyay
 
Bcp task 8
Norah Al Aslmey
 
Operational Risk Management & Strategic Planning
Eneni Oduwole
 
Integrating The Output From Risk Workshops Into The Business Planning Process
Eneni Oduwole
 
Coso Erm(2)
deeptica
 
Enterprise Risk Management - Aligning Risk with Strategy and Performance
Resolver Inc.
 
Enterprise risk management-Yashvanth G Nayak
Yashavanth Nayak
 

What's hot (20)

PPTX
CFO Risk Intelligence - Harvey Christophers
Azure Group
 
PPTX
Risk Management - A Journey
Debashis Gupta
 
PDF
ERM overview
Hisham Haridy MBA, PMP®, RMP®, SP®
 
PDF
Enterprise risk management february 9th solution training
veritama
 
PDF
ERM-Enterprise Risk Management
Jorge Vaz Girão , CISA, PMP, PMDPro I, ERMCP
 
PDF
FORUM 2013 How to embed risk management as a strategic activity
FERMA
 
PPT
Operational risk management a strategic tool
Eneni Oduwole
 
PPT
Enterprise Risk Management
Continuity and Resilience
 
PDF
ERM and Internal Auditing 2016 Tea Talk v2a
Nusaibah Hamizan
 
PPT
Coso erm frmwrk
Ravinder Kumar Bhan
 
PPTX
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
Aronson LLC
 
PPT
Risk Management – The Building Blocks
Continuity and Resilience
 
PDF
HIRimsISO311KandERMFINAL
Chris Mandel, RF, ARM-E
 
PPTX
Enterprise Risk Management
Anu Damodaran
 
PPTX
Corporate risk management
Praxiom
 
DOCX
Enterprise risk management
Anu Damodaran
 
PPTX
corporate risk management
Universiti Malaysia Pahang
 
PDF
Reporting to the Board on Corporate Compliance
Resolver Inc.
 
PDF
Strategic risk management
rejoysirvel
 
PDF
Enterprise Risk Management as a Core Management Process
regio12
 
CFO Risk Intelligence - Harvey Christophers
Azure Group
 
Risk Management - A Journey
Debashis Gupta
 
ERM overview
Hisham Haridy MBA, PMP®, RMP®, SP®
 
Enterprise risk management february 9th solution training
veritama
 
ERM-Enterprise Risk Management
Jorge Vaz Girão , CISA, PMP, PMDPro I, ERMCP
 
FORUM 2013 How to embed risk management as a strategic activity
FERMA
 
Operational risk management a strategic tool
Eneni Oduwole
 
Enterprise Risk Management
Continuity and Resilience
 
ERM and Internal Auditing 2016 Tea Talk v2a
Nusaibah Hamizan
 
Coso erm frmwrk
Ravinder Kumar Bhan
 
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
Aronson LLC
 
Risk Management – The Building Blocks
Continuity and Resilience
 
HIRimsISO311KandERMFINAL
Chris Mandel, RF, ARM-E
 
Enterprise Risk Management
Anu Damodaran
 
Corporate risk management
Praxiom
 
Enterprise risk management
Anu Damodaran
 
corporate risk management
Universiti Malaysia Pahang
 
Reporting to the Board on Corporate Compliance
Resolver Inc.
 
Strategic risk management
rejoysirvel
 
Enterprise Risk Management as a Core Management Process
regio12
 
Ad

Similar to Enterprise risk management summary approach guide (20)

PPTX
Creating Value Through Enterprise Risk Management
Risk Management Institution of Australasia
 
PPTX
Erm talking points
EnterpriseGRC Solutions, Inc.
 
PPT
FX Risk Management – Best Practice Standards for Good Corporate Governance
Expoco
 
PPTX
GRI ERM Roadmap - Program Overview
Denise Robinson
 
PPTX
Risk management policy presentation pppt
nhHng154622
 
PPT
Developing an Effective Enterprise Risk Capability
Continuity and Resilience
 
PPT
1 -corinne_berinstein
Sukumar Reddy
 
PPT
1 -corinne_berinstein
Ramaica Ona
 
PPT
1 -corinne_berinstein
Aahil Malik
 
PDF
Hoover.2016 Texas Bankers CFO Conference
Terry Hoover CPA, CGMA, CIA
 
PDF
Embedding RCSA into Strategic Planning and Business Strategy
Ascendore Limited
 
PDF
Embedding RCSA into Strategic Planning and Business Strategy
Andrew Smart
 
PPTX
Super Strategies 2014 Risk Strategy Presentation
David Fernandes
 
PPT
Presentation_20110802213554
P Karlin Panggalo.SE.MM.Ak.CA.CFA.CCM
 
PDF
Erm whitepaper (2)
MayankGarg200
 
PPTX
Enterprise risk management
ComplianceOnline
 
PDF
Erm tm 10
Mulyadi Yusuf
 
PPTX
Presentation about Areas of Risk Management
QishaLimVance
 
PPTX
Trustee Conference AM4: Effectively managing risk
NCVO - National Council for Voluntary Organisations
 
PDF
Implementing an Effective Risk Management Appetite.pdf
rotimiadedayo1
 
Creating Value Through Enterprise Risk Management
Risk Management Institution of Australasia
 
Erm talking points
EnterpriseGRC Solutions, Inc.
 
FX Risk Management – Best Practice Standards for Good Corporate Governance
Expoco
 
GRI ERM Roadmap - Program Overview
Denise Robinson
 
Risk management policy presentation pppt
nhHng154622
 
Developing an Effective Enterprise Risk Capability
Continuity and Resilience
 
1 -corinne_berinstein
Sukumar Reddy
 
1 -corinne_berinstein
Ramaica Ona
 
1 -corinne_berinstein
Aahil Malik
 
Hoover.2016 Texas Bankers CFO Conference
Terry Hoover CPA, CGMA, CIA
 
Embedding RCSA into Strategic Planning and Business Strategy
Ascendore Limited
 
Embedding RCSA into Strategic Planning and Business Strategy
Andrew Smart
 
Super Strategies 2014 Risk Strategy Presentation
David Fernandes
 
Presentation_20110802213554
P Karlin Panggalo.SE.MM.Ak.CA.CFA.CCM
 
Erm whitepaper (2)
MayankGarg200
 
Enterprise risk management
ComplianceOnline
 
Erm tm 10
Mulyadi Yusuf
 
Presentation about Areas of Risk Management
QishaLimVance
 
Trustee Conference AM4: Effectively managing risk
NCVO - National Council for Voluntary Organisations
 
Implementing an Effective Risk Management Appetite.pdf
rotimiadedayo1
 
Ad

More from AstalapulosListestos (8)

PPTX
Auditing corporate governance guide
AstalapulosListestos
 
PPTX
Social media risks guide
AstalapulosListestos
 
PPTX
Root cause analysis questionnaire
AstalapulosListestos
 
PPTX
Risk assessment facilitation guide
AstalapulosListestos
 
PPTX
It and business risk alignment guide
AstalapulosListestos
 
PPTX
Data governance guide
AstalapulosListestos
 
PPTX
Data analytics and audit coverage guide
AstalapulosListestos
 
PPTX
Business continuity planning guide
AstalapulosListestos
 
Auditing corporate governance guide
AstalapulosListestos
 
Social media risks guide
AstalapulosListestos
 
Root cause analysis questionnaire
AstalapulosListestos
 
Risk assessment facilitation guide
AstalapulosListestos
 
It and business risk alignment guide
AstalapulosListestos
 
Data governance guide
AstalapulosListestos
 
Data analytics and audit coverage guide
AstalapulosListestos
 
Business continuity planning guide
AstalapulosListestos
 

Recently uploaded (20)

PDF
Bitcoin Layer August 2025: Power Laws of Bitcoin: The Core and Bubbles
Stephen Perrenod
 
PDF
Lecture1.pdf buss1040 uses economics introduction
VidhiGupta718698
 
PDF
ABriefOverviewComparisonUCP600_ISP8_URDG_758.pdf
AsifimranEmon
 
PPTX
Session 11-13. Working Capital Management and Cash Budget.pptx
2023mb21003
 
DOCX
marketing plan Elkhabiry............docx
ramadanantar44
 
PPTX
4.5.1 Financial Governance_Appropriation & Finance.pptx
RuhulQuddus23
 
PDF
Dr Tran Quoc Bao the first Vietnamese speaker at GITEX DigiHealth Conference ...
Gorman Bain Capital
 
PPTX
The discussion on the Economic in transportation .pptx
awanganiqkmal191
 
PDF
Predicting Customer Bankruptcy Using Machine Learning Algorithm research pape...
Razan Shahwan
 
PDF
ssrn-3708.kefbkjbeakjfiuheioufh ioehoih134.pdf
sunnykrish2000
 
PPTX
Session 3. Time Value of Money.pptx_finance
2023mb21003
 
PPTX
Introduction to Managemeng Chapter 1..pptx
BettyMonizB
 
PDF
ECONOMICS AND ENTREPRENEURS LESSONSS AND
ClarenceKennethCasta2
 
PPTX
kyc aml guideline a detailed pt onthat.pptx
Sanjaysaini308877
 
PDF
ECONOMICS AND ENTREPRENEURS LESSONSS AND
ClarenceKennethCasta2
 
PDF
Dialnet-DynamicHedgingOfPricesOfNaturalGasInMexico-8788871.pdf
davidromero210805
 
PDF
NAPF_RESPONSE_TO_THE_PENSIONS_COMMISSION_8 _2_.pdf
Henry Tapper
 
PPTX
Introduction to Essence of Indian traditional knowledge.pptx
souravpoddarhith
 
PDF
Chapter 9 IFRS Ed-Ed4_2020 Intermediate Accounting
AhmadRamadhan422095
 
PDF
final_dropping_the_baton_-_how_america_is_failing_to_use_russia_sanctions_and...
AnastosiyaGurin1
 
Bitcoin Layer August 2025: Power Laws of Bitcoin: The Core and Bubbles
Stephen Perrenod
 
Lecture1.pdf buss1040 uses economics introduction
VidhiGupta718698
 
ABriefOverviewComparisonUCP600_ISP8_URDG_758.pdf
AsifimranEmon
 
Session 11-13. Working Capital Management and Cash Budget.pptx
2023mb21003
 
marketing plan Elkhabiry............docx
ramadanantar44
 
4.5.1 Financial Governance_Appropriation & Finance.pptx
RuhulQuddus23
 
Dr Tran Quoc Bao the first Vietnamese speaker at GITEX DigiHealth Conference ...
Gorman Bain Capital
 
The discussion on the Economic in transportation .pptx
awanganiqkmal191
 
Predicting Customer Bankruptcy Using Machine Learning Algorithm research pape...
Razan Shahwan
 
ssrn-3708.kefbkjbeakjfiuheioufh ioehoih134.pdf
sunnykrish2000
 
Session 3. Time Value of Money.pptx_finance
2023mb21003
 
Introduction to Managemeng Chapter 1..pptx
BettyMonizB
 
ECONOMICS AND ENTREPRENEURS LESSONSS AND
ClarenceKennethCasta2
 
kyc aml guideline a detailed pt onthat.pptx
Sanjaysaini308877
 
ECONOMICS AND ENTREPRENEURS LESSONSS AND
ClarenceKennethCasta2
 
Dialnet-DynamicHedgingOfPricesOfNaturalGasInMexico-8788871.pdf
davidromero210805
 
NAPF_RESPONSE_TO_THE_PENSIONS_COMMISSION_8 _2_.pdf
Henry Tapper
 
Introduction to Essence of Indian traditional knowledge.pptx
souravpoddarhith
 
Chapter 9 IFRS Ed-Ed4_2020 Intermediate Accounting
AhmadRamadhan422095
 
final_dropping_the_baton_-_how_america_is_failing_to_use_russia_sanctions_and...
AnastosiyaGurin1
 

Enterprise risk management summary approach guide

  • 2. TABLE OF CONTENTS 03 Enterprise Risk Management Summary Approach Guide: Sample 1 04 Today’s Agenda 05 Welcome and Introductions 09 ERM Foundational Concepts 16 Moving to ERM 21 ERM Implementation Overview 2 28 Enterprise Risk Management Summary Approach Guide: Sample 2 29 ERM Approach 36 Coordination and Oversight
  • 4. TODAY’S AGENDA 4 • Welcome and Introductions − New enterprise risk management (ERM) infrastructure − Reasons for change • ERM: What’s In It for XYZ and for You? − How do we get there? • ERM Foundational Concepts • Moving to ERM • ERM Implementation Overview • Next Steps and Closing Remarks
  • 5. WELCOME AND INTRODUCTIONS: NEW ENTERPRISE RISK MANAGEMENT (ERM) INFRASTRUCTURE 5 Board of Directors ERM Oversight Committee ERM Working Group Estimated Dates The VP of ERM reports periodically to the audit committee and routinely to the CEO/CFO. The ERM oversight committee includes all senior-level executives. The ERM working group includes a member from each risk and compliance group as well as multiple business unit owners throughout the organization.
  • 6. WELCOME AND INTRODUCTIONS: REASONS FOR CHANGE 6 1 Credit rating agencies are beginning to factor the company’s ERM processes into an overall rating. Legislators and the general public are pressuring companies to specifically disclose how both the board and senior executives oversee and monitor the risk management practices of the company. 2 3 Dedicated resources should be focused fully on the development of an ERM process for XYZ. Develop a process where the board and senior executives are routinely updated on the risk profile of the company associated with its strategy and operations. 4 5 Integrate efforts of the risk and compliance groups to eliminate redundancies in work performed (e.g., agency billing audits).
  • 7. WELCOME AND INTRODUCTIONS: ERM – WHAT’S IN IT FOR XYZ AND YOU? 7 1 2 3 4 5 Fewer surprises occur. Exposure to loss is reduced and rewards are increased. Decision-making is more effective. Corporate governance is improved. Risk and control activities with the highest corporate priorities are aligned.
  • 8. WELCOME AND INTRODUCTIONS: HOW DO WE GET THERE? 8 01 Ensure that front-line managers and above understand the importance of risk identification, assessment and management and are willing to embrace it. 02 Evolve ERM from a special project to being part of your daily routine (e.g., ask yourself, “what are the risks associated with XYZ?”). 03 Leverage existing tools, reports, etc. to assist with risk assessment and management where possible. Also identify other methods or tools that can facilitate this in a more effective manner across the entire company. 04 We may request meetings with you to understand the portion of the company’s overall risk profile that you help to monitor and manage. 05 GRC software is implemented to support the ERM process, as well as PMO support from Protiviti.
  • 9. ERM FOUNDATIONAL CONCEPTS: A DEFINITION OF ERM 9 A definition provided by former Federal Reserve Board Governor Susan Bies: A process that enables management to deal effectively with uncertainty and the associated risk and opportunity, enhancing the capacity to build stakeholder value. • Aligning XYZ’s risk appetite and strategies. • Reducing the frequency and severity of operational surprises and losses. • Identifying and managing multiple and cross-enterprise risks. • Enhancing the rigor of XYZ’s risk-response decisions. • Proactively seizing on the opportunities presented to XYZ. ERM includes:
  • 10. ERM FOUNDATIONAL CONCEPTS: RISK 10 Strategy Risk Appetite Risk Tolerance Objectives Governance Execution • Risk is a threat or barrier preventing the achievement of organizational objectives. • Risk appetite is the amount of risk that XYZ is willing to accept. It sets the boundaries for the broad risk-taking activities of an organization. − This can be quantitative or qualitative. − This may be expressed as an acceptable balance of growth, risk and return, or as risk-adjusted shareholder value-added measures. − Risk appetite guides resource allocation. • Risk tolerance is the acceptable level of variation relative to the achievement of a specific objective. − These are generally quantitative and measured in the same units as the related objective.
  • 11. ERM FOUNDATIONAL CONCEPTS: ILLUSTRATIVE RISK APPETITE STATEMENT 11 Management will accept a moderate level of risk in pursuing strategies to grow revenue and earnings. Management may choose to pursue product expansion and/or acquisitions that are complementary to the existing business and capabilities and are expected to be accretive to earnings within a maximum of 18 months. Management will accept earnings volatility of up to 50% over within a one-year timeframe, provided that long- term operating margins can be maintained at 5% or higher. Capital and liquidity must be maintained at a level that will not result in a reduction of our current dividend. Management will not accept risks that result in more than an extremely remote threat to its state insurance licenses or Medicare contracts. Management will not accept risks that result in more than a remote chance that our members are not receiving the level of medical care promised. Management will not accept risks that result in a more than remote chance that our agents and providers are not reimbursed properly. The investment portfolio will be maintained with an aggregate rating of at least AA.
  • 12. ERM FOUNDATIONAL CONCEPTS: ERM AS A PICTURE 12 Risk Appetite Determine your strategic objectives based on your risk appetite. Determine the risk management techniques to meet your established risk tolerances. Understand the inherent risks associated with achieving your business strategy. Accept Share Reduce Avoid Feedback Risk - Moderate to High Risk - High Risk – Moderate to High Risk – Moderate Risk – Very High Risk - High Risk – Low to Moderate Risk – Moderate Risk – Low Insignificant Minor Moderate Major Catastrophic Remote 10% Unlikely 25% Reasonably Possible 50% Probable 75% Almost Certain 90% 7 13 5 10 3 11 15 8 6 4 2 12 1 IMPACT LIKELIHOOD Organizational Culture 15 Price- Interest Rate 11 Consumer Privacy 9 Competitor 1 Reg.- Price Integrity 10 IT- Systems Implement. 3 IT- Infrastructure 6 Customer Satisfaction 5 Taxation 13 Sourcing/Supply Chain 4 Business Model 14 Human Resources 7 Shrink/Loss Prevention 8 Rev. Rec.- Allowances 12 Business Interruption 2 9 8 7 6 4 3 2 5 1 9 8 7 6 4 3 2 5 1 14 9 Risk Tolerances
  • 13. ERM FOUNDATIONAL CONCEPTS: COMMON FRAMEWORK FOR ERM PROGRAMS 13 Establish the Risk Management Goals, Objectives and Infrastructure Assess the Business Risk • Identify • Source • Measure Formulate the Business Risk Management Strategies Measure/Monitor the Risk Management Process Performance Design/Implement the Risk Management Process Continuously Improve the Business Risk Management Process Information for Decision- Making ERM is a continuous, formalized process of: • Establishing • Assessing • Developing • Implementing • Monitoring • Improving ERM is primarily focused on key risks to the organization, not necessarily all risks.
  • 14. ERM FOUNDATIONAL CONCEPTS: ERM INTEGRATION WITH STRATEGIC PLANNING 14 Key ERM Components • Identify the risks to achieving objectives. • Source the risks. • Identify, monitor and respond to emerging risks. Key ERM Components • Assess and prioritize risks. • Select strategies within the organization’s risk appetite. Key ERM Components • Set strategic measurements and key risk indicators (KRIs). • Identify the strategic risk owners. Key ERM Components • Enable communication on achievement of strategic objectives. • Monitor, evaluate and update KRIs and risk management action plans. • Update operational plans. Key ERM Components • Allocate risk management resources. • Develop risk mitigation plans. • Develop additional KRIs. Corporate Mission, Vision and Values Assess the External Environment Formulate and Select a Strategy Set Strategic Measurements and Targets
  • 15. ERM FOUNDATIONAL CONCEPTS: VALUE OF ERM 15 Sustain Competitive Advantage • Incorporate operational risk management best practices. • Identify, assess and manage emerging external risks, including regulatory changes, access to capital and financial market volatility. • Evaluate and manage risks associated with strategic business decisions (product/service offerings, etc.). • Respond effectively to low probability critical/catastrophic risks (e.g., Black Swan). Optimize Costs • Standardize the business process and collaborate efforts to integrate it. • Allocate resources more efficiently. • Eliminate unnecessary controls. Improve Business Performance • Manage KPI shortfalls and tightened margins. • Better understand risks and improve risk management capabilities across business functions and units. • Improve strategic management and business planning processes. • Expand and improve corporate governance, addressing expectations of and requests from the board (including reporting needs).
  • 16. MOVING TO ERM: FIRST VERSION HAS BASIC FUNCTIONALITY 16
  • 17. MOVING TO ERM: FAST FORWARD: RISK BECOMES OPPORTUNITY 17
  • 18. MOVING TO ERM 18 Risk Management Business Risk Management Enterprise Risk Management Focus Financial and hazard risks and internal controls Business risk and internal controls, taking a risk-by-risk approach Business risk and internal controls, taking an entity-level portfolio view of risk Objective Protect enterprise value Protect enterprise value Protect and enhance enterprise value Scope Treasury, insurance and operations are primarily responsible Business managers are accountable Applied across the enterprise, at every level and unit Emphasis Finance and operations Management Setting a strategy Application Selected risk areas, units and processes Selected risk areas, units and processes Enterprisewide to all sources of value “Current-State” Capabilities “Future-State” Vision Physical Assets Financial Assets Physical Assets Financial Assets Employee/ Supplier Assets Customer Assets Physical Assets Financial Assets Customer Assets Organizational Assets Employee/ Supplier Assets
  • 19. MOVING TO ERM: POINT OF VIEW ON ERM 19 • ERM will never begin if you don’t know what your risks are. • ERM is not something to build in a day. Start somewhere and build incrementally. • The purpose of ERM infrastructure is to drive continuous improvement of ERM capabilities. − The objective is to continuously improve capabilities around managing priority risks as circumstances change. • The tenets of effective ERM implementation: − Leverage what you have. − Integrate with what you do. − Keep it simple.
  • 20. MOVING TO ERM: COMMON ERM OBSTACLES AND PITFALLS TO AVOID 20 02 An inability to demonstrate value to operational personnel and risk owners. 01 Failure to get “buy-in” and support from executive management (CEO). 03 Enterprise list management. 05 An inability to capture, summarize and manage information. 04 A lack of dedicated resources with the appropriate background. 07 Risk responsibility that is not linked to rewards. 06 Ineffective or inefficient risk identification techniques. 08 General counsel concerns exist over risk documentation. 10 Failure to link risks to strategy. 09 ERM that is not integrated with other activities and functions within the organization.
  • 21. ERM IMPLEMENTATION OVERVIEW: STEP 1 21 ERM Infrastructure Key Elements • Develop an ERM governance structure (e.g., charter, philosophy, risk appetite). • Define a process/organizational classification scheme. • Adopt a standardized risk model. • Define roles and responsibilities. • Conduct ERM awareness training. • Understand existing risk management processes and/or areas of overlap. • Gather information on company strategy and value drivers. • Implement GRC software. Key Outputs for XYZ • ERM vision and responsibilities. • Process/organizational classification scheme. • Risk model (common language) and risk definitions.
  • 22. ERM IMPLEMENTATION OVERVIEW: STEP 2 22 Risk Assessment and Prioritization Key Elements • Incorporate information from internal audit’s risk assessment, along with input from other executives on existing and/or emerging risk areas for XYZ. • Define risk ranking criteria (likelihood of occurrence and impact/significance to XYZ). • Link strategic objectives/initiatives to risks. • Prioritize key risks. Key Outputs for XYZ • Preliminary prioritization of identified risks. • Risk map.
  • 23. ERM IMPLEMENTATION OVERVIEW: SAMPLE RISK MAP 23 Key risks on the XYZ risk model will eventually be mapped based on the significance and likelihood of each risk. The risk profile associated with each quadrant of the Significance/Likelihood map is noted below. • Black Swan • Likelihood is lower but could have a significant adverse effect on the company’s ability to achieve its objectives if risk is realized. • Monitoring is limited and detective controls are needed. • Critical risks potentially threaten the achievement of companywide objectives. • High-monitoring activity and preventive controls are essential in mitigating these risks. • The overall business impact is not deemed as significant. • Significant monitoring is not necessary unless change occurs in risk classification. • Less significance exists but is more likely to occur. • Cost/benefit trade-off is considered. • Some monitoring and effective detective controls are needed. • Risks are often re-assessed to evaluate changing conditions (move to high significance). Secondary Risks Secondary Risks Key Risks Low Priority Risks Risk Appetite Likelihood Impact/Significance 1 3 5 3 5 2 4 2 4 High High Low High Low
  • 24. ERM IMPLEMENTATION OVERVIEW: QUANTIFYING RISK 24 The quality of data input determines the quality of data coming out of the model. This is often the most challenging aspect of quantifying risk. 1 These should align with the firm’s goals and objectives as well as current marketplace/industry realities. 1 Create outputs that are relevant to the overall firm and business units. Link outputs to performance measures/KPIs. 1 Inputs Models and Assumptions Outputs
  • 25. ERM IMPLEMENTATION OVERVIEW: RISK MEASUREMENT VALUE 25 Allows for return to be evaluated on a risk-adjusted basis. Provides a method to produce comparable results across businesses with different risk profiles. Provides a method to rank opportunities based on the opportunity risk profile. Serves as feedback to the effect of changes in portfolio composition and risk policies (e.g., increasing % of hospice).
  • 26. ERM IMPLEMENTATION OVERVIEW: STEP 3 26 Risk Response/Management Key Elements • Understand key controls/risk management activities that currently exist to address key risks, as well as gaps. • Define key risk indicators (KRIs) and risk tolerance levels. • Develop risk reports/dashboards and present information to executive management and the board. Key Outputs for XYZ • Key risk indicators for key risks. • Risk reports/dashboards.
  • 27. ERM IMPLEMENTATION OVERVIEW: WHAT DO WE DO WITH RISK? 27 Eliminate risk by preventing exposure to future possible events from occurring. Avoid Maintain the risk at its current level. Accept Implement policies and procedures to lower the risk to an acceptable level. Reduce Shift the risk to a financially capable, independent counterparty. Share • Divest • Prohibit • Stop • Screen • Eliminate • Target • Retain • Reprice • Self-Insure • Offset • Disperse • Control • Respond • Diminish • Isolate • Test • Improve • Relocate • Redesign • Diversify • Insure • Reinsure • Hedge • Transfer • Outsource • Securitize • Indemnify
  • 29. ERM APPROACH 29 Identifying, understanding and evaluating an organization’s most significant risk areas will set the foundation for a robust ERM program. The diagram below outlines an effective and proven approach to building ERM capabilities that will ultimately: • Enhance corporate governance. • Align and integrate varying views of risk and risk management. • Respond to the changing business environment. Planning Facilitating Risk Discussion Risk Analysis External Verification Management Review Gap Assessment Coordination and Oversight The following pages detail each component of this ERM approach.
  • 30. PLANNING 30 • Meet with ABC’s ERM project sponsor to confirm the scope and risk management objectives (including guidelines for defining “catastrophic” risks). • Leverage ABC corporate audit’s risk model and confirm that it includes the necessary environment, process and information for decision-making risk categories. Adjust the model as necessary. • Identify a cross-section of leaders within each business/region/function to participate in a facilitated risk discussion (workshop). If necessary, there may be multiple workshops within each business, region and function. • Conduct interviews with workshop participants to better understand key risk areas within each business/region/function and to verify that the necessary risk categories are included in the risk model. Complete these interviews prior to conducting the facilitated risk workshops. • Distribute the risk model to attendees prior to conducting each workshop to set the foundation for a common risk language. • ABC-specific risk model (inclusive of key risk categories) Activities Output/Deliverables
  • 31. FACILITATING RISK DISCUSSION 31 • Conduct facilitated risk discussions to evaluate the inherent significance and likelihood of identified risks. Using real-time, anonymous voting technology, identify ABC’s top nontraditional, catastrophic risk categories. − Facilitated workshops provide an effective and efficient approach to holistically evaluating an organizational risk. Participants can discuss and verify issues and facts and reach meaningful conclusions that ultimately enhance risk management capabilities. • Gather initial input on the top risk categories to begin the process to identify specific events and/or scenarios that cause each category to have an elevated priority. • A prioritized list of risk categories within each business/region/function • Information on risk-specific events and/or scenarios that could significantly impact ABC Activities Output/Deliverables
  • 32. RISK ANALYSIS 32 • Explore the specific events within each top risk category that could have a significant or catastrophic impact on ABC. Evaluate these events in the context of broad organizational impact to identify the discrete risk points within each risk area (i.e., catalog the Level 2 and Level 3 risks). − Example: If “Illegal Acts” is identified as a top risk category, outline and document the specific illegal acts that would cause the most damage to ABC. It may be necessary to approach these risks using a worst-case scenario. • Identify an expert panel of ABC management relevant to each of the top five to six risk categories and facilitate discussions to identify potential risk events/scenarios within each top risk category. Confirm that the agreed-upon events are ABC-specific and adequately describe how each would contribute to a potentially catastrophic outcome. • Consolidate and prioritize the top events in each of the priority risk categories from each of the expert panel workshops. • Documentation of ABC’s prioritized catastrophic risks supported by specific events and supporting explanations Activities Output/Deliverables
  • 33. EXTERNAL VERIFICATION 33 • Identify external resources with expert perspectives on industry and risk management topics. • Distribute ABC’s consolidated risk universe and solicit feedback. • Discuss external feedback with business/region/function leaders and adjust the risk universe as necessary. • An updated universe of ABC’s most critical risks that incorporates feedback from external experts Activities Output/Deliverables
  • 34. MANAGEMENT REVIEW 34 • Discuss the prioritized list of critical risks with members of ABC’s executive leadership team. Solicit feedback and update the risk list as necessary. • Develop summary materials to communicate ERM activities and results to the board. • A finalized list of ABC’s top risk areas • A board-level reporting summary Activities Output/Deliverables
  • 35. GAP ASSESSMENT 35 • Through a discussion and documentation review, evaluate ABC’s current capabilities to manage the identified risk categories and potential risk events/scenarios. • Identify risks that may not be adequately controlled and perform a gap analysis. • Communicate gaps and confirm them with business/region/function leaders. • A summary of risk management activities to address ABC’s top risk areas, including process gaps and associated recommendations Activities Output/Deliverables
  • 36. COORDINATION AND OVERSIGHT 36 • Communication between management and each business/region/function is of paramount importance to successfully complete this ERM initiative. In coordination with management, the risk management project team will have responsibility for overseeing all engagement activities. • Senior members of the risk management project team will coordinate ERM activities throughout the entirety of this project. • The risk management project team will facilitate risk workshops, summarize workshop results, identify and introduce external experts, and present the results to management. • As necessary, the risk management project team will be available to assist with preparing and/or presenting relevant materials to the board.

Editor's Notes

  • #11: Risk Appetite (resource allocation): “Management looks to align organization, people, processes and infrastructure to facilitate successful strategy implementation and enable the entity to stay within its risk appetite.”
  • #19: Enterprise risk management requires XYZ to take a portfolio view of risk: Organizations typically manage risk within silos. This ignores cross-functional impacts. It requires increased communication to manage business.
  • #21: “Buy-in” is more than just “pronouncements from on high” that ERM is valuable. Demonstrating a belief in ERM’s value is critical. Having executives show up in person to an ERM training session can have significantly more impact that just having them send a supportive email to the entire company (although, that too, is important). Also, the demonstrated buy-in needs to be sustained so staff should hear from executives on ERM throughout the implementation effort. The inability to demonstrate value is often connected to the failure to identify “quick wins” as part of the process. Because ERM implementation can take time, not taking advantage of every opportunity to achieve and communicate quick successes can drain the energy from the entire effort. The final bullet should receive some attention because ERM is not a “project.” It is a process, a discipline that the company is committing to that will change the way that it thinks about and manages risk. For ERM to be successful, it needs to become part of the lifeblood of the company and integrated into all activities and functions within the organization.