Introduction To ERM (Enterprise Risk Management)
Introduction to ERM(Enterprise Risk Management)
Jonathan Burns Director of Finance forParamount Health Caresince November 2014 Relocated to NW OH fromLexington, KY Prior roles in highereducation andbanking/finance Learned about ERM dueto compliance regulationsand implementedParamount’s ERMstructure and process Jonathan.Burns@ProMedica.org 419-887-2500
Agenda Define ERMBenefits of ERMComponents of ERMGovernance StructureDefine SRM
Define ERMEnterprise Risk Management (ERM):“A process effected by an entity’s board ofdirectors, management and other personnel,applied in strategy setting and across theenterprise, designed to identify potential eventsthat may affect the entity, and manage risk to bewithin its risk appetite, to provide reasonableassurance regarding the achievement of entityobjectives.”Source: ermInsights and John Bugalla andCOSO (Committee of Sponsoring Organizations)
Define ERM ERM is the process of planning, organizing,leading, and controlling the activities of anorganization in order to minimize the effectsof risk on an organization's capital and earnings. Strategic Risk Management (SRM) is a businessdiscipline that drives deliberation and actionregarding uncertainties and untappedopportunities that affect an organization’sstrategy and strategy execution.Source: ermInsights and John Bugalla
Define ERMERM consists of active and intrusive processes that:1) are capable of challenging existing assumptionsabout the world within and outside the organization;2) communicate risk information with the use ofdistinct tools (such as risk maps, stress tests, andscenarios);3) collectively address gaps in the control of risks thatother control functions (such as internal audits andother boundary controls) leave unaddressed; and, indoing so,4) complement - but do not displace - existingmanagement control practices.Source: ermInsights and John Bugalla andCOSO (Committee of Sponsoring Organizations)
Agenda Define ERMBenefits of ERMComponents of ERMGovernance StructureDefine SRM
Benefits of ERM Enhance board risk oversight responsibilities Required in certain industries (financial,insurance) Executive risk-informed decision making Individual risk silos do not work Create new measurable valueSource: ermInsights and John Bugalla
Benefits of ERM Volatility and uncertainty abound Competitive advantage is critical for futuresuccess Avoid the strategy-execution gap Enhance audit and compliance Lessen the impact of adverse eventsSource: ermInsights and John Bugalla
Benefits of ERMPlanning for Performance: “Give me six hours to chop down atree and I will spend the first fourhours sharpening the axe.”- Abraham Lincoln The process of getting there willultimately determine your finalresult. Planning is a veryimportant step to businessstrategy.Source: ermInsights and John Bugalla
Benefits of ERMStrategy-Execution Gap:Source: ermInsights and John Bugalla; CEB,Harvard Business Review
Benefits of ERMStrategy-Execution Gap:Source: ermInsights and John Bugalla; CEB,Harvard Business Review
Benefits of ERMSample Risk Categories: Underwriting OperationalModel RiskProduct PricingReservesNatural Catastrophe Strategic Regional Concentration ofRisk Reputation Global/National Economy Competition Availability of ReinsuranceRegulatory RiskIT RiskPersonnel Risk Market Investment Market Risk Liquidity Claims Credit Reinsurer CreditSource: Willis Re and Willis Towers Watson
Agenda Define ERMBenefits of ERMComponents of ERMGovernance StructureDefine SRM
Components of ERMSteps to design an ERM: Define desired programImplement ERM charterEstablish risk appetiteDefine tolerance levelsStart risk assessment process
Components of ERMFive Key ERM Practices:Source: Willis Re and Willis Towers Watson
Components of ERMDefine desired program: Use a gap analysis to survey leadership for desiredoutcome of ERMSource: ermInsights and John Bugalla
Components of ERMCriterion 1: Risk Organization & Governance Risk management function centered on compliance, audit and controls Silo-based risk managementprocesses Commitment to ERM from topmanagement and BoardEstablished risk officer or head of riskposition (may not be solely focused onrisk)Functioning cross-functional seniormanagement risk committeeRisk management viewed as a “partner”by the business unitsResources dedicated to risk managementat the enterprise levelExistence of some risk policydocumentationManagement “working group” forum fordiscussion of risk issuesA more holistic/enterprise view of riskRisk management roles and riskownership formally definedTraining provided to risk managementstaff and risk ownersSource: ermInsights and John Bugalla Functioning cross-functional senior managementrisk committeeRisk management viewed as a “partner” by thebusiness unitsEstablished CRO with authority at a senior level,reports to the CEO and with independent accessto the BoardERM roles and responsibilities established anddefined including ERM staff, risk owners,committees and BoardCommittee charters defined — roles,responsibilities, membership, reportingClearly documented risk policies, procedures,and risk baring capacity and appetiteFormal information flow from functions to ERM,senior management, and the boardERM/SRM duality is recognized - upside gainsStrong risk owners at function level identifyingboth risks and opportunitiesEmerging threats and opportunities identifiedand analyzedERM/SRM integrated and aligned with corporatestrategyStrategic information reported to board
Components of ERMCriterion 2: Risk Appetite and Tolerance Individual risk limits (e.g., trading,credit, operating, investment),mostly based on managementintuition and/or traditionLimited monitoring and reporting ofviolations to risk tolerances but nottied to corrective action and/orrevised risk tolerances, as needed Early stage development of risk appetitestatement articulated by seniormanagement, but lacks robustnessInclusion of risk appetite in riskidentification and assessment processRisk limits for individual risk categoriesarticulated at functional levelUnderstanding of risk profile in relationto risk appetiteClear limits defined and exceptionmanagement process in place, but notenforced Source: ermInsights and John Bugalla Risk appetite statement articulated(quantitative and qualitative) and incorporatesmultiple stakeholder viewpoints in definingmetricsRisk appetite and tolerances validated throughquantitative modelingAnnual approval and sign-off by the Board ofDirectors of key material risksCommunication of strategy, risk appetite andtolerances throughout the organizationModeling/reconciling top-down risk appetitewith bottom-up risk limitsFormal process for vetting models and newproductsApplying risk appetite to decision making,capital deployment, resource allocationEnforcement of risk and reward decisions withlinkage to compensation/performanceIncorporation of reputation impact into riskappetite and tolerance statementsAll corporate functions understand purpose ofERM/SRM
Components of ERMCriterion 3: Metrics & Measurement Metrics based onaccounting/regulatory reportingrequirementsMeasurement techniques forfinancial and event risksMetrics for evaluating risk andreward at operational level exist butare inconsistent and not defined aspart of the ERM process Robust measurement of some key risks(e.g. pricing models for all transactions)Risk prioritization through qualitative andquantification of key risks (heat map)Use of internal SMEs and root causeanalysisSimplified approach to stress testingcapital adequacyLimited scenario planning and/or SWOTanalysisSome risk metrics at the function level,but inability to aggregate at theenterprise levelCompany metrics are established andused to prioritize opportunities andsupport the evaluation of an individualopportunitySource: ermInsights and John Bugalla Measurement metrics for all risk categorieswith aggregation capabilitiesModeling key risks in common termsMetrics for evaluating risk and reward atoperational level exist and are consistentand defined as part of the ERM processERM embedded in strategic planning anddecision makingConsistent approaches to risk measurementand impact on valueAbility to produce results accurately andquicklyRobust use of scenario planning, analysisand stress testingRisk metrics included in individualperformance objectives and compensationMacroeconomic indicators considered inpredictive financial performance
Components of ERMCriterion 4: Risk Management Process, Procedures & Controls Risk management function centeredon insurance and other traditionalrisksInternal audit focused oncompliance, audit and controlsExistence of control structureRisk-adjusted decisions process inplaceRisk prioritization based onqualitative informationSilo-based management of key risksBusiness continuity plans developedOperational risk controls definedand in place Consistent risk identification andassessment processEnterprise-wide view of key risks to thestrategyRisk treatments and options developed forkey risksStandardized process for insurance,financial risk management (credit, marketand operational)Regular monitoring and analysis of extremeeventsRisk management knowledge exists at thesenior management levelRisk policies are clearly defined andcommunicated, and have influence onfunctional managementManagement and risk owners understandimportance of and role in managing riskwithin the operationsFormal approach to identifying, quantifyingand monitoring operational risksSource: ermInsights and John Bugalla Enterprise-wide view of key risks to thestrategyERM goals and objectives articulated andaligned with business strategy andobjectivesRisk-adjusted decisions process in placeValue driver analysis in placeAppropriate risk and control processes(identification, measurement, reporting andcheckpoints against risk tolerances) in placeRobust framework for stress testing andscenario analysis modelsUse of value mapping toolsRisk culture aligned and implementedUnderstanding the portfolio effect of riskRisk financing options clearly understoodERM/SRM collaborating with complianceand audit
Components of ERMCriterion 5: Risk Monitoring, Reporting & Communication Ad hoc reporting. although theremay be significant lag timeReactive response to risk events andreportsExistence of risk reporting bybusiness line and for the enterpriseReporting developed for regulatorycomplianceManagement reports developed foraudit findings and controlsFinancial disclosure requirements Risk management dashboard that includesreporting metrics linked to risk appetiteand tolerancesExistence of risk reporting by business lineand for the enterpriseAbility to produce reports based upontimely and useful information that allowfor actionable decision makingReporting is data-oriented vs. informationoriented and not easily actionableQuarterly or monthly ERM reporting toexecutive managementAnnual reporting of key risks to the BoardReporting is tailored appropriately to theaudience to whom it is deliveredAnnual third-party stewardship reportsTechnology is used to support the businessstrategy and the implementation andmonitoring of risk tolerancesSource: ermInsights and John Bugalla Risk management dashboard that includesreporting metrics linked to risk appetite andtolerances, and strategyAbility to produce reports based upon timelyand useful information that allow foractionable decision making, and adaption tonew strategyFlexible reporting and ability to drill down intorisk informationIntegration of ERM components, data, systemsReporting is tailored appropriately to theaudience to whom it is deliveredEmerging threats and opportunities includedin reportsStrategic risks are reported to board onquarterly basisRisk management is a competitive advantageRisk owners report to board and audit verifiesAll corporate functions understand purposeand support ERM/SRM
Components of ERMSteps to design an ERM: Define desired programImplement ERM charterEstablish risk appetiteDefine tolerance levelsStart risk assessment process
Components of ERMImplement ERM charter: Developed to formally establish the ERM functionBased on the desired state as learned via the gap analysisMust be approved by the Board or appropriate committeeMust include: Definition of ERM for the organizationMissionSponsorFrequency of meetingFramework (i.e. COSO 2013)Responsibilities of the committeeFocus on key risks & integration with operationsSource: ermInsights and John Bugalla
Components of ERMEstablish risk appetite: Determining risk appetite starts by determiningthe organization’s risk capacity An organization’s ability to withstand risk when itbecomes fact while avoiding unwanted effectsSource: ermInsights and John Bugalla
Components of ERMRisk Appetite: Is strategic and is related to thepursuit of organizationalobjectives Should form an integral part oforganizational governance Should guide the allocation ofresources Is multi-dimensional, looking atshort-term and long-term goals ofthe strategic planning cycle Requires effective monitoring ofthe risk itself and theorganization's continuing riskappetite Should directly link to theorganization’s objectives Should be stated preciselyenough that it can becommunicated throughout theorganization, effectivelymonitored, and adjusted overtime Helps with setting acceptabletolerances for risk therebyidentifying the parameters ofacceptable risksSource: ermInsights and John Bugalla
Components of ERMGeneralized Statement:Specified Scoring: We take risks to build and growour business, but only if thoserisks:– Fit our business strategy andcan be understood andmanaged;– Do not expose the enterpriseto any significant single lossevents, we do not bet thefirm on any single acquisition,business or product;– Do not risk harming our brandSource: ermInsights and John Bugalla27
Components of ERMSource: ermInsights and John Bugalla
Components of ERMDefine tolerance levels: To evaluate a new risk/opportunity/program: What is the worst/best case scenario?What does it cost/return if it happens?What is the mitigation strategy?Based on a cost comparison, do you mitigate or accept the risk? Does the evaluated risk remain within the established risktolerance levels? If yes, leadership may make the decision to move forward or not. If no, is it within the risk appetite (all known risks combined stillwithin the appetite range)? Yes, go to risk council (internal management) for final approval No, go to risk committee of Board for final approval
Components of ERMRisk Tolerance: Typically a financial indicator (i.e. % of revenue) Good benchmark is at what threshold is reportingoutside the organization required––––Bond covenantsChange in bond ratingRisk Based Capital (RBC) levelMediCare STAR rating
Components of ERMStart risk assessment process:Source: Willis Re and Willis Towers Watson
Components of ERM
Components of ERMERM Model Example:Source: ermInsights and John Bugalla
Agenda Define ERMBenefits of ERMComponents of ERMGovernance StructureDefine SRM
Governance StructureSource: Willis Re and Willis Towers Watson
Governance StructureSuggested Model / Best Practice: Top-down risk identification Strategic analysis drivestechnical analysis andquantification Fewer, more aggregatedrisks Dynamic risk perspectivesinclude opportunities High level of boardengagementSource: ermInsights and John Bugalla
Governance StructureRisk Culture: The norms of behavior for individuals and groupswithin an organization that determine the collectiveability to identify and understand, openly discuss andact on the organization’s current and future risks. “No matter which approach to ERM is taken, it is theorganizational talent who will have to execute it –people are the strategic plan because human capitalhas become the fundamental advantage ofcompetitive advantage.” – John BugallaSource: ermInsights and John Bugalla
Agenda Define ERMBenefits of ERMComponents of ERMGovernance StructureDefine SRM
Define SRMStrategic Risk Management: A business discipline that drives deliberation andaction regarding uncertainties and untappedopportunities that affect an organization’s strategyand strategy execution. Strategy – is the set of resource allocation decisionsthat help a firm create and sustain a competitiveadvantage. “It is not the strongest of the species that survives,not the most intelligent that survives. It is the onethat is most adaptable to change.” - Charles DarwinSource: ermInsights and John Bugalla
Define SRM The primary difference between ERM and SRM is thedegree of integration with strategic planning and thefocus on upside risk/opportunities vs. just riskreduction. Some of the key benefits/reasons for SRM:– Outside forces are creating volatility and uncertainty at afaster pace, risks are more complex and interconnected,and industry consolidation amplifies the effect.– An integrated SRM program may provide a competitiveadvantage by identifying/realizing opportunities.– SRM helps avoid the strategy-execution gap.Source: ermInsights and John Bugalla
Define SRMStrategic Planning: A survey at the 2014 Chief Strategy Office summitshowed that only 13% of 132 respondents feltthey achieved 80% or more of the expected valueof their strategic initiatives. 82% of Fortune 500 CEOs feel their organizationdid an effective job of strategic planning.However, only 14% of those same CEOs indicatedthat their organization did an effective job ofimplementing the strategy.Source: ermInsights and John Bugalla;Forbes
Define SRMCompetitive Advantage: Most strategic initiatives are: The logical next step in existing strategic direction Increased investment in our existing strategy in ourimmediate market segment And emerge from: New ideas from existing management New information about the business or marketingenvironment And take time: 7 months to decide what to do Additional 13 months for implementationSource: ermInsights and John Bugalla;McKinsey Global Survey
Define SRMStrategic Plan Components: Describe the org.’s mission, vision, & fundamentalvaluesTarget potential business arenas and explore eachmarket for emerging threats and opportunitiesUnderstand the current and future priorities oftargeted customer segmentAnalyze the company’s strengths and weaknessesrelative to the competitors and determine whichelements of the value chain the company shouldmake vs buyIdentify and evaluate alternative strategiesDevelop an advantageous bus. model that willprofitably differentiate the company form itscompetitorsDefine stakeholder expectations and establish clearand compelling objectives for the businessPrepare programs, policies and procedures toimplement the planEstablish support organizational structures, decisionprocesses, information and control systems andhiring and training systemsAllocate resources to develop critical capabilitiesPlan for and respond to contingencies orenvironmental changesMonitor performanceAs Plans develop with SRM, the key questions to askcover both the traditional downside risks andupside opportunities: What are the 1-3 worst things that couldhappen if we do this?What can we do to reduce both the probabilityof this happening and the impact of it happensWhat are the 1-3 best things that could happenif we do this?What can we do to increase the probability ofthis happening and the impact if it happensDebate the assumptions, not forecasts –understand the fundamentals and performancedrivers.All assumptions should be risk informed andlinked to SRMAllows all to speak a common languageDiscuss and understand resource deploymentsearlyClearly identify priorities – not all are equallyimportantContinuously monitor performanceReward and develop capabilitiesSource: ermInsights and John Bugalla43
Define SRM Board – Provide to board the info that will assist them inperforming their required risk oversight responsibilities andenhance their strategic understanding of the key performanceindictors driving the business to better engage exec. mgt. instrategic decision making. Execs – Deliver to execs info that will assist them in making strategicdecisions to grow the business and evolve the business model. Leadership – Provide the organizational leadership team with infonecessary to monitor and evaluate the performance of the ERMprogram. Business Unit Leaders – Deliver to bus. unit leaders and middlemanagement the risk-informed analysis to make tactical decisionsthat support the day-to-day transactions of running the business.Source: ermInsights and John Bugalla44
Define SRMOrganizational GoalsStrategyStrategic PlanningStrategic rategic RiskManagementStrategyImplementationBusiness UnitPlanningBusiness PlanImplementationGovernance, Risk,Compliance (GRC)OperationsBusiness PlanOutcomesStrategy OutcomesCopyright 2016 John Bugalla & Emanuel LauriaSource: ermInsights and John Bugalla45
Summary Strategic Planning typically makes assumptionsabout the business, while risk managementconsiders the uncertainties surrounding theseassumptions during implementation. But if strategists do not think carefully andcomprehensively about the risks that might beencountered in their plans, risks will be missed,more than any after-the-fact risk managementcan mitigate. “Everyone has a plan ‘till they get punched in themouth.” - Mike TysonSource: ermInsights and John Bugalla46
Intro to ERMQuestions?47
management and Board Established risk officer or head of risk position (may not be solely focused on risk) Functioning cross-functional senior management risk committee Risk management viewed as a "partner" by the business units Resources dedicated to risk management at the enterprise level Existence of some risk policy
Deloitte Professor of ERM Associate Director Executive Director ERM Initiative ERM Initiative ERM Initiative The ERM Initiative in the Poole College of Management at North Carolina State University provides thought leadership on enterprise risk management (ERM) and its integration with strategic planning and corporate governance, with a focus .
Surveys were conducted to understand the current practices of enterprise risk management (ERM) stakeholder engagement. Depending on the level of ERM maturity within an organization, challenges still exist to improve ERM buy-in. The benefit of risk management is difficult to measure. The value that ERM can bring to
perspectives on a practical enterprise risk management (ERM) approach for national risk management, that is, ERM at the federal1 government level. This is based on the author’s Consulting experience in both the private and public sectors Value-based ERM approach—a synthesis of value-based management and enterprise risk
development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence. The COSO Enterprise Risk Management - Integrated Framework defines essential ERM components, discusses key ERM principles and concepts, suggests a common ERM language, and provides clear direction and guidance for ERM.
Risk Management for CEOs & Managers Presented By: . Seven risks NCUA expects credit unions to manage Background of Enterprise Risk Management (ERM) CEO/Managers guide to ERM Components of ERM Benefits of ERM Questions . 3 Financial Institutions . COSO 2017 Executive Summary Risk appetite is the aggregate level and types
2020 The State of Risk Oversight AN OVERVIEW OF ENTERPRISE RISK MANAGEMENT PRACTICES 11TH EDITION APRIL 2020 erm professional insights 3 WWW.ERM.NCSU.EDU ERM_INITIATIVE@NCSU.EDU 919.513.0901 ABOUT THIS STUDY As business leaders manage the ever-changing economic, political, and technological landscape
Element of a Good Compliance Program? 2013 MFMER slide-2 2013 MFMER slide-3 What is Enterprise Risk Management (ERM)? Historically risk management referred only to insurance and legal liabilities (malpractice) ERM is a risk-based approach to managing an enterprise, a framework to identify, assess,
3 ERM Sustainable Solutions for the Global Chemical Industry About ERM Environmental Resources Management (ERM) is a leading global provider of environmental, health, safety, risk, social consulting and sustainability related services. We have more than 160 offices in over 40 countries and territories employing more than 5,000 people.
