1 Enterprise Risk Management 1 Proprietary Information: This presentation contains concepts, ideas...

Enterprise Risk Management 11

Proprietary Information: This presentation contains concepts, ideas and materials which are proprietary to Deloitte & Touche LLP and which may not be used, copied, provided to others or referred to without the express written permission of Deloitte & Touche LLP.

Enterprise Risk Management

Presented to The Audit Directors Roundtable

Atlanta, Georgia

October 16, 1997



Agenda

> “Know yourself” - a starting point for Enterprise Risk Management

> A model for Enterprise Risk Management> Four focal points of Enterprise Risk Management> The Unconscious Conspiracy> Sustainable Enterprise Risk Management



Know yourself - three kinds of risk environment

Unprotected Transitional “Go ahead.....”

Processes, systems not in place

Cultural attitudes not supportive

Basics not strong

Typical of: Start-ups, JV’s, different cultures, speed to market.

Challenges: Lack of capability; where to start.

Financial control processes moderate

History of problems, surprises

Rapid change, rapid growth situations

Challenges: High stress, over-stretched, resource constrained; Fire-fighting

Well established systems, common processes

Pockets of slackness, many areas for improvement

Basics well in place

Challenges: Operational, strategic; Unconscious Conspiracy



Risk EnvironmentOF #1

> How would you describe your current risk environment?> Unprotected> Transitional> Go Ahead



Risk ReadinessTen indicators of ability to anticipate and

manage risk: (COSO, CoCO, etc.)

> Objectives and risks> Policies and parameters> Values and ethics> Responsibility and accountability> Trust and communication> Skills and tools> Systems and discipline> Scanning and questioning> Monitoring and follow-up> Assessment and reporting



Overall Risk ReadinessOF #2

> How would you describe your organization’s overall risk readiness?> Very ready> Ready> Fairly ready> Somewhat ready> Very unready



> What are you trying to accomplish?

> What gets in your way?

> What are you doing to manage this?

> Where do you feel the most exposed?

The Enterprise Risk Model



Enterprise Risk Model

Set Expectations

Identify Risks

Measure / AssessRisk & Control

MonitorRisk EnvironmentRisk Management

BusinessStrategies &Objectives

Assess Performanceagainst expectations

R - C = E (O)n

Assess &Mitigate Exposure




Set Expectations

Identify Risks






>Avoidance>Capital

>Control>Exposure

>Financing

>Identification

>Measurement

>Mitigation

>Monitoring

>Risk

>Risk Management

>Significance

>Transfer

>Uncertainty




Set Expectations

Identify Risks






>Avoidance - Declining an opportunity because expectation does not justify the risk involved

>Capital - Financial resources that support objectives and that enable survival under adverse outcomes

>Control - Action to correct or reduce uncertainty to an acceptable level

>Exposure - Susceptibility of objectives to risk remaining after control and mitigation activities

>Financing - Economic resources available for use in pursuing objectives and risk management activities

>Identification - Recognizing or establishing objectives, risks or exposures

as being of a particular type or origin

>Measurement - Assessing the likelihood and significance of risks, exposures and related

objectives

>Mitigation - Action to correct or reduce significance of risks and outcomes to an acceptable level (such as through

diversification, financing, transfer, etc.)

>Monitoring - The process of continuous identification and

measurement

>Risk - Anything of variable uncertainty and significance that interferes with achievement of objectives

>Risk Management - The business process of managing uncertainty and significance of risk to an acceptable level of exposure

>Significance - Importance and magnitude of meaning, influence or effect

>Transfer - Sharing a portion of risk and potential reward with another party

>Uncertainty - The level of the unknown regarding a future outcome



Enterprise Risk Model - Risk

R(O)

Risk(a) Risk is a function of

Business Objectives

(b) Risk is lost Opportunity

>Risk - Anything of variable certainty and impact that interferes with

achievement of objectives



Enterprise Risk Model - Control & Mitigate

Cn

Control & Mitigate

Retain & Manage/Mitigate RiskMitigate - (Detect & Correct)Hedge Risk, diversify, financeSelf Insure

Avoid RiskControl (Prevent) to reduce likelihoodRe-engineer to avoid riskChange objectives (opportunity)

Transfer Risk to othersPurchase insurance

>Control - Action to correct or reduce certainty to an acceptable level

>Mitigation - Action to correct or reduce significance of risks and outcomes to an acceptable level (such as through diversification,

financing, transfer, etc.)



Enterprise Risk Model - Exposure

E

Exposure

Function of the Certainty of Risk Occurrence, &Significance of Risk, if it occurred

Measured on a spectrum of acceptable ----- unacceptable

>Exposure - Susceptibility of objectives to risk remaining after control and mitigation

activities



Risk Exposure

Sig

nif

ican

ceVH

M

VL M VHCertainty

Unacceptable

CautionAcceptable



Current Risk Assessment ProcessOF # 3

> How would you describe your satisfaction with your current enterprise risk management process?> Setting expectations> Identifying risks> Measuring and assessing risks> Assessing and mitigating exposure> Monitoring risk environment and risk management> Assessing performance against expectations



Focal points for Enterprise Risk Management

Basics

Behavior

Business

Burning

Examples: Financial processes (purchasing, payments, accounting)Typical Risk Classes: Information, Methods, Technology, Ethics

Examples: Structure (accountability, responsibility); Tone: trust, motivation, ethics, enablementTypical Risk Classes: People, Organizational, Environment

Examples: Production, sales, distribution, design, engineering, human resources, serviceTypical Risk Classes: Operational; Methods, Materials & equipment; Interest, Liquidity, Concentration, Market, Environment

Examples: Unconscious Conspiracy issues - sales practices; productliability; Challenger; transportation disastersTypical Risk Classes: Ethics, Environment, Organization



Supporting different starting points..Unprotected Transitional “Go ahead.....”

Build It Fix It Demonstrate It

Basics

Behavior

Business

Burning

?

??

?

?

??

?

?

??

?



Focal Point for Risk ManagementOF #4

> What is your organization’s focal point for risk management at this time?

1. Basics

2. Behavior

3. Business

4. Burning

5. Any combination or all of the above



The value of Enterprise Risk Management

Basics Reduce fraud, Minimize error, Increase efficiency & effectiveness



Objective:Integrity of assets, transactions, reporting

Risk Classes:Methods & systems; Facilities; People; Information;Environment; Technology

ControlProcedural Risk Frameworks (globally established); Guidance materials;Policy infrastructure (Corporate, accounting); Established through training; Customized for “hostility” of local environmentAssessed by audit, or self assessed;Metrics from benchmarking, compliance

Risk Consequences: Fraud, error, inefficiency; ineffectiveness

Risk Management Focus - Basics

Basics



Common Cultural Specific Core

Basics Behavior Business Burning

Capability issues: - what, how, where

Policies, procedures, processes;Reengineering, Business process redesign;Quality improvement processes;Benchmarking; best practices;Handbooks; Training; Surveys, questionnaires, audits

Four focal points




Basics

Behavior

Reduce fraud, Minimize error, Increase efficiency & effectiveness

Reduce fraud& error; Increase efficiency &effectiveness; Engage & enthuse; Minimize penalty



Objective:Standards of ethics, trust, integrity, openness of communication, learning, responsiveness .......

Risk Classes:People; Environment;

ControlEthics policy infrastructure; Tone at the top; attention to detailCulture creation / development processesCustomized for “hostility” of local environmentAssessed by culture profiles;Metrics from benchmarking - internal & external

Risk Consequences: Fraud, Ineffectiveness, Loss of key peopleRegulatory penalty, Loss of reputation, .......

Risk Management Focus - Behavior

Behavior





Commitment issues - why, whether

Structural issues - accountability, responsibility, authorityLeadership issuesCultural issues - trust, motivation

Workshops, conferences, workgroups, surveys,

Four focal points




Basics

Behavior

Business



Avoid or transfer risk

Quantify risk uncertainty for specific risks

Use capital market techniques to manage certain risks

Improve quality / timeliness / price / delivery / technology

Reduce costs / downtime / lost productivity

Improve relationships with customers / employees / suppliers / regulators / investors / creditors

Protect against criminal / civil / regulatory penalties

Improve achievement of business objectives



Objective:Achievement of business objectivesStrategic; Group; division; department; team

Risk Classes:Methods & systems; Facilities; People; Information;Environment; Technology;Operations; Market; Credit;

ControlBusiness Risk Frameworks (globally established); Impact & likelihood assessmentsBusiness risk management assessment

Avoid (Prevent, Re-engineer)Retain & manage (Detect, Correct, Hedge..) Transfer (purchase insurance; self-insure)

Policy infrastructure; Engagement of key people; Assessed by audit, or management self assessed;Metrics based on business risk

Risk Consequences: Failure to achieve business objectives

Risk Management Focus - Business

Business





Objectives / Purpose issues

Operational risks; Legal / regulatory; Capital / financial; Strategic

Measurement - analysis, hedge, transfer, avoidAssessment - workshop, survey, interview

Engage, enable, enthuse

Four focal points




Basics

Behavior

Business

Burning



Protect against fundamental risk











Objective:Protection from fundamental risk Achieve quantum leap opportunity

Risk Classes:All....

ControlStructured format for open dialogueHeightened awareness of unconscious conspiracyCross-silo workshops, conferences, meetingsKnowledge / memory managementGovernance processes

Risk Consequences: Massive fraud, or error;DisasterLoss of competitive positionLoss of value

Risk Management Focus - Burning

Burning



The Unconscious Conspiracy

> Disaster events> No single “cause”> Environment, technology, structure, culture, systems,

processes, people all play a role> The organization had all the information about the risk -

but no one person had it all, or made the connections.> A number of indicators of unconscious conspiracy were

available..... in hindsight.



The Unconscious ConspiracyIndicators...

> Today’s “Business Imperative” - industry wide> Hot opportunity > High reliance on a few wizards> Dominating objective> Unchallenged assumptions> Dominating individual> .......





Learning issues - fundamental issuesthat are stuck at awareness / action stages

Accessed by workshops - shared awareness,moving the unconscious conspiracy to

conscious awareness and action

Issues are normally fundamental, sometimes critical to survival

Four focal points



Integrated Risk Management


StrategicOperational

GovernanceAccountability

ToneValuesEthicsTrust

UnconsciousConspiracy

PoliciesProcedures

Fraud protection









PoliciesProcedures

Fraud protectionInformation

Systems Avoid Transfer

Quantify uncertainty

Capital Market Strategies

Insurance Risk Management









PoliciesProcedures


Systems Quantify uncertainty

Avoid Transfer



Operational Uncertainty (non-quantified)









PoliciesProcedures



Avoid Transfer




Risk & controlframeworks

& Gap analysis

Systems quality& integrity









PoliciesProcedures



Avoid Transfer




Risk & controlMaps

& Gap analysis

Culture profilesControl environmentchange management










PoliciesProcedures



Business Risk ManagementSelf-assessment of exposure -

leading to Action

Risk & Control frameworks

Avoid Transfer





& Gap analysis











PoliciesProcedures




leading to Action


Avoid Transfer





& Gap analysis


Governance reviewFacilitated business &

strategic risk assessmentDiagnostics










PoliciesProcedures




leading to Action


Avoid Transfer





& Gap analysis


Governance reviewFacilitated business &

strategic risk assessmentDiagnostics


Internal Audit based on integrated Risk Framework



Enterprise Risk Management Implementation approaches


Basics Behavior Business BurningFacilitated workshop

Risk ProfilesRisk FrameworksQuantitative methodsInsurance methods

Procedural frameworksSurveys

Enterprise risk framework database



What are the major challenges you face in developing an integrated approach risk

management?



What do you think needs to be done to manage

these challenges?



Sustainable Risk Management aligns People, Objectives, Risks

> Builds Employee Involvement

> Creates Business Value

> Builds a Global Connection

> Enhances Teamwork

> Anticipates risk




Basics

Behavior

Business

Burning



Protect against fundamental risk











Presentation Evaluation



Next Steps

> Incorporate group brainstorms and Option Finder exercises into a report of today’s session

> Distribute report to all participants> Other?

1 Enterprise Risk Management 1 Proprietary Information: This presentation contains concepts, ideas...

Documents

Transcript of 1 Enterprise Risk Management 1 Proprietary Information: This presentation contains concepts, ideas...