ERM: What's New & What's Next

ERM: What’s New & What’s Next
Institute of Internal Auditors Webinar
February 19, 2009

Presented by:
John A. Wheeler, Managing Principal, Wheelhouse Advisors LLC
Kenneth K. Yoo, Senior Vice President – Enterprise Risk Management,
Federal Home Loan Bank of Atlanta

www.theiia.org/Training

Discussion Topics

• Key risks facing companies operating both inside and
outside the United States

• Developing an Enterprise Risk Management Framework &
Approach

• Evolution of a Risk & Controls Program

• Enterprise Risk Management in the era of increased
regulatory and shareholder scrutiny


© Copyright 2009 - Wheelhouse Advisors LLC │1

Changing Risk Environment



Changing Risk Environment
In 2008 & 2009, the risk landscape has shifted dramatically

Fannie and Freddie
Likely to Plunge,
Searing Investors



Developing an ERM Framework

What is “ERM”?
“… a process, effected by an entity's board of directors,
management and other personnel, applied in strategy
setting and across the enterprise, designed to identify
potential events that may affect the entity, and manage
risks to be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity objectives.”

Source: COSO Enterprise Risk Management – Integrated Framework - 2004.




• ERM is a process that encompasses the following key
activities
– Identifies potential events that may arise out of and/or impact a
company’s strategic objectives
– Assesses the severity and likelihood of risk events
– Determines risk response
• Evaluates in relation to risk tolerances
• Determines approach – Avoid, Accept, Reduce, Share
• Specifies mitigation plan
– Manages risk within the enterprise’s risk appetite
– Takes a portfolio view of risk at the top
– Monitors performance continuously



“Old School” Approach “New School” Approach
 Risk perceived as individual hazards that may  Understand risks in context of business
negatively impact a given area strategies and objectives
 Ad hoc focus on risks with greatest emphasis  Disciplined and forward looking focus on
on recent events critical risks
 Managing risks is senior management’s  Managing risk is everyone’s responsibility
responsibility
 Minimize and/or eliminate risk  Manage risk within tolerance levels and
capitalize on opportunities
 No risk owners  Well defined accountability for risks

 No formal risk reporting or monitoring at the  Risk reporting emanating from existing
entity level channels to the top
 Highly decentralized  Portfolio management



Risk Assessment vs. ERM
• Risk Assessment
– Point-in-time snapshot
– Often internal audit driven
– Identifies where to focus current attention
– Great for planning, but not the full solution

• ERM
– Continuous risk monitoring and identification
– Real-time assessment using indicators as well as evaluation of new
strategic initiatives
– Balanced focus on opportunities and impacts
– Built-in ownership of risks at the right level – embedded in the
business



Benefits of ERM
ERM provides the ability for a company to:
– Understand and define risk appetite as it relates to strategy
– Link growth, risk and return
– Optimize risk response decisions
– Minimize operational losses and surprises
– Rationalize capital resources
– Strengthen credit ratings
– Improve efficiency by integrating responses to multiple risks
– Seize opportunities to capitalize on rewards from taking
intelligent risks



Evolution of a Risk & Controls Program

• Sarbanes-Oxley (“SOX”) Section 404 as a starting point

• Innovation and integration leading to greater efficiency
and effectiveness

• Barriers to overcome

• Required changes in approach



SOX as a starting point
• Similar disciplined approach with primary focus on risks
first, processes second and controls third
• Streamlining business processes
– Eliminating duplicative activities
– Process improvement, eliminate outdated procedures
– Enhancing data integrity for critical decision-making
• Enhancing, automating and integrating data flow
– Focus on data analytics and mining opportunities to strengthen
controls
– Providing more transparent and seamless communication across
the business
– Viewing the process end-to-end to understand control gaps



Evolution of Risk & Control Programs

Developing Implementing Improving Integrating

• Highly reactive to • Individual control • Alignment of control • Seamless and proactive
individual regulatory programs in various programs to increase risk & control program
mandates phases of efficiency and reduce
implementation administrative burden • Risk governance &
• Immature risk and/or refinement oversight structure fully
governance & • More focused risk embedded in business
oversight structure • Evolving risk governance & governance structure
governance & oversight structure (i.e. from strategy
• Informal risk related oversight structure through execution)
infrastructure • Identification and
• More formal risk implementation of • Risk infrastructure
related best practices across automated and fully
infrastructure at business units integrated across
corporate and enterprise
business unit levels

Evolving Mature



Barriers to Overcome
Attitudes / Culture
• People are “burned-out” by SOX
• Seen as interfering with “real work”
• Lack of alignment with performance measurements – little incentive to
participate
• Budget constraints are increasing leaving few resources to commit
• View that one-time training is the answer
• Wavering support from executive management and board

Infrastructure
• No shared language
• Over reliance on support functions
• Little or no linkage between risks, process and controls
• Enabling technology is non-existent or fragmented at best



Barriers to Overcome



Internal Audit’s ERM Barriers to Overcome

Internal Audit ERM Competency Map

Enterprise Risk Assessment 30% 53% 17%

Fraud prevention / detection 26% 55% 19%

Use of technology and analytics 26% 52% 22%

Improvement Opportunity Somewhat Competent Very Competent

Source: Ernst & Young 2008 Global Internal Audit Survey



Internal Audit’s Role in ERM

Source: The Institute of Internal Auditors



ERM Program Sustainability

Has your company reached a What makes your ERM program
sustaining ERM maturity level? sustainable?

Senior management endorses the
84%
organization’s risk management
Yes efforts
29%
Management is part of the risk 74%
management program

No Risk management efforts are part
66%
71% of the organization’s management
process and tools

22%
Other

0% 20% 40% 60% 80% 100%

Source: 2008 ERM Benchmarking Survey - The Institute of Internal Auditors



Changes Required
• Clear and consistent support from executive management
• High-level, multi-disciplinary, dedicated core team
• Strong business case on how ERM will enhance
– Business decision-making
– Achievement of corporate and business unit strategic objectives
– Identification of opportunities as well as potential impacts
• Building ERM into business processes – efficiently and without
undue administrative burden
• Well defined roles and responsibilities for risk leading to improved
accountability – build into incentives and performance
management
• Long-term commitment to the effort, linked to strategic planning



Changes Required



Increased Scrutiny
• Legal / Regulatory
– SEC
– Department of Justice
– Stock Exchanges
– Securities Fraud Plaintiff Attorneys
– Sarbanes-Oxley Act – Sections 302 & 404
– Foreign Corrupt Practices Act
– Industry specific regulations (Privacy, Anti-money laundering,
Risk-based capital requirements, etc.)
• Shareholders & Stakeholders
– Outsourcing / Third-party resources
– Credit rating agencies
– Institutional Investors
– Personal liability for Board Members



Critical Success Factors
1. Organizational Culture
– Governance (Board & Executive
Management)
Continuous
– Roles and Responsibilities Monitoring
– Incentive Programs
2. Infrastructure
Integration
– Simple, consistent and well
understood risk framework
– Effective controls at the appropriate
Infrastructure
stages of the process
3. Integration
– Portfolio view
– Mind the control gaps Organizational
– Focused effort with optimal use of Culture
resources
4. Continuous Monitoring
– Current risk levels vs. risk appetite
– Effectiveness of control performance



For more information about service offerings, please visit:
www.WheelhouseAdvisors.com
Or email us at:
NavigateSuccessfully@WheelhouseAdvisors.com



ERM: What's New & What's Next

More Related Content

What's hot (19)

Viewers also liked (20)

Similar to ERM: What's New & What's Next (20)

Recently uploaded (20)

ERM: What's New & What's Next