Enterprise Risk Management (ERM) - chapters.theiia.org · Enterprise Risk Management (ERM) - Impact...

30
Enterprise Risk Management (ERM) - Impact of 2017 COSO ERM Model Institute of Internal Auditors, Detroit Chapter Meeting February 2019

Transcript of Enterprise Risk Management (ERM) - chapters.theiia.org · Enterprise Risk Management (ERM) - Impact...

Enterprise Risk Management (ERM) -Impact of 2017 COSO ERM Model

Institute of Internal Auditors, Detroit Chapter Meeting

February 2019

With you today

Sarah Ann Moore

Director

Internal Audit and Enterprise Risk, KPMG

Agenda

• The context for the COSO update − Connecting strategy, risk and performance

• Summary of key COSO 2017 changes

• Impact on current ERM practices

• Closing thoughts− Keys to long-term ERM success

• Questions

The context for the COSO update

5© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

5© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

If you aren’t constantly assessing strategy and risk, and adjusting as you go, there’s no way you’re keeping pace as a business or a board.

The context for the COSO update

- Public Company Director, KPMG’s Global Boardroom Insights

6© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

6© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Change is moving faster than ever…

Regulations and Policies

Designed to protect the way the world worked in the 20th

century, regulations have not evolved to today’sworld.

Business Models & Strategies

Those developed in the ‘Industrial Age’ are being challenged by companies that leverage technology and agile business models to meet the demands of today’s marketplace andcustomers.

Customer Behavior

Behavior is changing due to demographic shifts and economic

conditions are rippling through

sectors.

Exponential Technologies

Fortune 500companies are struggling

to adopt and implementtechnology enablers to

meet changing demand.

The context for the COSO update

7© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Changing household makeups and an increase in

the number of single households is impacting the way consumers spend and

shop

165%

increase in number of

single householdssince ‘70s

Macrotrends are changing behaviors…

Urbanization increases consumer demand for alternative

channels for purchasing all products, including oral care

products and services

Large demographic shifts are driving change in customer preferences,expectations, and spending behavior across all industries…

Boomers are entering retirement, and the aging population is expected to drive a large increase in

healthcare expenditure

…impacting people’s preferences aroundproducts, convenience, and how they go about purchasing

1 in 3 adults will be a

millennial by 2020

Millennials are entering their prime spending years, and

will have a significant impact on the market and

purchasing behavior and preferences

By 2030,the world’s 65+ population will

double to

1 billion60%of the world’s population is

expected to live in cities by 2030

The context for the COSO update

8© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Technology is the great accelerator…

Technology is changing people’s behavior

Technology is enabling new business models

72%Percent of U.S.

adults own a smartphone, and the average consumer checks their phone

every six minutes

Digital path topurchase

Enhanced customerexperience

Customization

Tech giants

Startups

The Internet of Things

The context for the COSO update

9© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

CEO’s aware and concerned…

Source: KPMG CEO Study “Setting the course for growth: CEO Perspectives ”

The context for the COSO update

10© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Governance

Adhere to better practice principles of corporate governance (COSO ERM Framework, NACD ”core principles” etc.)

Meet rating agency expectations

Federal sentencing guidelines principles - foundation for effective corporate compliance

Strategy

Provide a competitive advantage versus industry peers

Link strategic planning objectives to enterprise risks to align key priorities with senior management

Operational Performance

Provide greater transparency on events that impact desired performance

Enhance ability to meet goals through targeted action and clear accountability

Supports an organization-wide “Risk-Aware” culture

Better leverage of supporting systems and tools to optimize operational effectiveness

By evaluating the threats and opportunities to strategy and objectives, ERM closely links risk, strategy, and performance, enabling management to make more informed decisions

Governance

Strategy

Operational Performance

Why ERM and where does COSO fit in?The context for the COSO update

11© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Connecting strategy and riskInnovating and pursuing opportunity while balancing upside and downside

Financial Performance Targets

Markets

Propositions and Brands

Clients and Channels

Core Business

Processes

Operational & Technology

Infrastructure

Organizational Structure, Governance, Risk &

Controls

People and Culture

Measures and Incentives

Business model

Growth

Profitability

Liquidity

Leverage

Operating model cost

— Acquisitions

— Pricing

— New markets

— New products

Risks to Strategy

— Natural hazards

— Commodity prices

— Geopolitical events

— Cyber attack

External Risks

— Regulatory violations

— Quality issues

— Technology and data events

— Resource shortages

Internal Risks

Focus of the majority of today’sERM programs is value

preservation, not value creation

The context for the COSO update

Summary of key COSO 2017 changes

13© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

COSO 2017 – headlinesThe new COSO ERM Framework titled Enterprise Risk Management—Integrating with Strategy and Performance is an update to the 2004 publication (Enterprise Risk Management—Integrated Framework).

The update:

• addresses advancements made in ERM practices since 2004

• acknowledges the evolving business environment and the need for enhanced ERM strategies and processes

• highlights the need to consider risk to strategy (strategy-setting process and strategy execution)

Source: Enterprise Risk Management–Integrating with Strategy and Performance, Executive Summary, COSO, (2017)

Summary of key COSO 2017 changes

14© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

COSO 2017 – headlines

The updated document:

• Describes the five new Framework components and 20 underlying principles. It also includes a graphic that illustrates how these components and principles interact

• Provides an updated definition of enterprise risk management

• Highlights the role of ERM in not just preserving value, but also creating value. It elevates discussion of strategy and link to performance management

• Links ERM and decision-making activities

• Encourages the integration of ERM as part of the management of an organization as opposed to a siloed activity

• Examines how organization culture can influence the effectiveness of ERM

• Enhances the concepts of risk appetite and tolerance

Uncertainty that matters….

[Risk is] …“the possibility that events will occur and affect the achievement of

strategy and business objectives.”…

…[Enterprise Risk Management is]…“the culture, capabilities, and practices, integrated with

strategy setting and performance, that

organizations rely on to manage risk in creating, preserving and realizing

value.”

Source: Enterprise Risk Management –Integrating Strategy with Performance, June

2017

Summary of key COSO 2017 changes

15© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Source: Enterprise Risk Management–Integrating with Strategy and Performance, Frequently Asked Questions, COSO, (2017)

• The new ERM Framework and the Internal Control Framework complement each other, with neither superseding the other

• The updated ERM Framework describes areas that go beyond internal control; however, the Internal Control–Integrated Framework remains a viable and suitable framework for designing, implementing, and conducting and assessing the effectiveness of internal control and for reporting, as required in some jurisdictions

Link to the COSO's 2013 Internal Control–Integrated Framework

Summary of key COSO 2017 changes

Impact on current ERM practices

17© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

ERM framework components

Risk Strategy and Appetite Risk Governance Risk Culture

Risk Assessment and

Measurement

Risk Management and

MonitoringRisk Reporting

and InsightsData and

Technology

Linkage to corporate strategy

Board Oversight and Committee

Knowledge and Understanding

Risk Definition and taxonomy

Risk Mitigation, Response and Action Plans

Risk Reporting Data Qualityand Governance

Risk StrategyCompany Risk

Operating Structure

Belief and Commitment Risk Identification

Testing, Validation and Management’s

Assurance

Business/Operational

RequirementsRisk Analytics

Risk Appetite and Tolerance

Risk Guidance

Competencies and Context

Assessment and Prioritization Monitoring

Board and Senior Management Requirements

Technology Enablement

Roles and Responsibilities

Action and Determination

Quantitative Methods and

Modeling

Risk in Projects/Initiatives

External Requirements

DecisionSupport

Risk Aggregation,Correlation and Concentration

Scenario Analysis and Stress

Testing

Capital and Performance Management

Impact on current ERM practices

18© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Common areas of current ERM focus

Risk governance- “Guiding principles” and rationale for ERM

- ‘Plain English’ risk program policy/ strategy

- Clear roles and responsibilities that support engagement (linked to 3LOD)

ERM framework areas where we see companies investing to connect better connect risk and strategy and to drive ERM into the business:

Risk appetite framework and tools- Risk aligned to the strategy process

- Risk appetite articulated and risk thresholds/ guardrails

built into reporting and decision making

- Scenario analysis and risk interconnectivity (acknowledging that risks events do not occur in silos)

Risk culture- Understanding risk culture and its impact on decision making across the organization

- Targeted risk communication, awareness and training

- Risk linked to performance management processes

Impact on current ERM practices

19© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Risk governance – 3LOD

Three lines of defense model:

— IA is a 3rd line function –sufficient independence for objective oversight of risk management

— ERM is primarily a 2nd

line function -some activities in the 1st line or in the 3rd line

RISK PROCESS AND CONTENT Monitoring

3rdLINE OF DEFENSE

Ass

ura

nce

P

rovi

der

s

Risk Governance

Assu

rance

Pro

viders

RISK PROCESSAccountability

2ndLINE OF DEFENSE

RISK CONTENTAccountability

1stLINE OF DEFENSE

Sta

nd

ard

S

ette

rs

Stan

dard

S

etters

Bu

sin

ess

Ow

ner

s

Bu

siness

Ow

ners

Impact on current ERM practices

20© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

2nd line Oversight of risk

1st line Management of

risk

Distributed, dedicated team, great proximity,

coach.

Aligned agency, on the ground to

drive

Partner from center.Potential for

advice model

Entirely Centralised 2nd

line, 1st line is self sufficient, little

proximity

2nd line provides advice,

training,consultancy

1st line are Experiencedpractitionersself-sufficient

•Typical activities:

• Proposal of risk appetite & risk policies

• Monitoring adherence to risk limits

• Reviewing and monitoring specific risk policies

• Portfolio monitoring and review

• Risk approval of transactions within specified limits and mandates

• Cascade of board approved risk limits into specific limits to business activities.

• Assurance and thematic review

• Teaching, training, coaching

1st and 2nd line relationships can change based on maturity factors:

• extent of 1st line skills and experience

• recent issues or losses

• regulatory attention

• other strategic change/ risk factors (i.e. off-shoring, restructuring, acquiring new businesses)

Risk governance – 3LODImpact on current ERM practices

21© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Actual risk profile

What does the company’s risk profile look like given the current state of risk strategies and plans?

Risk appetite framework and toolsRisk appetite

How much risk is the company willing to accept in pursuit of value and growth?

Risk-taking capacity

What is the maximum risk that the company can possibly take, given appetite, linked to available capital or equity, liquid assets, borrowing capacity, resources?

Target risk profile

Given the risk appetite and capacity, what should the company’s risk profile look like, considering business objectives and external perceptions?

Impact on current ERM practices

22© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Risk category

Financial Risk

People Risk

Risk type

Interest Rate

Inflation

Default

Credit

Risk tolerance/limit

AssetQuality

BU

Avg. credit rating

Aged debt report %> 30 days

Counter-party

Minimum financial strength

Credit rating

A

20%

A-

Type Measure Limit

Cre

dit

Risk appetite

Business plan Operational Risk

People

Technology

Procurement

BusinessContinuity

Contracts

Catastrophe

Reserving

Concentration

Conduct

Training

Instances of misconduct

Training sessions attended

TurnoverNumber of resourcesResigning in a year

X

X per year

X or X%

Type Measure Limit

Peo

ple

Quake

All Perils

1 in 250 year peak peril

In X years

Wind 1 in 100 year peak peril

$X

Lower of $X

$X

Type Measure Limit

Cat

astr

op

he

Risk appetite framework and toolsImpact on current ERM practices

23© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Risk appetite framework and toolsImpact on current ERM practices

24© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Risk culture – what is below the surface?Impact on current ERM practices

25© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Risk culture - conceptual frameworkImpact on current ERM practices

Closing thoughts

27© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Future-focused ERM

content

Single view of risk

“appetite”

Tailored, proportionate ERM process

Efficient and aligned

governance, risk, and

compliance activities

Achieving a successful ERM program requires a holistic and integrated approach to managing risk, and can be accomplished through the following, as highlighted in our latest ERM thought leadership piece.

Enterprise risk management: Protecting

and enhancing value

Keys to long-term ERM successClosing thoughts

Questions

?

Thank you

Sarah Ann Moore, Director

Internal Audit and Enterprise Risk, KPMG

Tel: 312 550 6750

[email protected]

The KPMG name and logo are registered trademarks or trademarks of KPMG International.

© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.

kpmg.com/socialmedia

KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity, and is in all respects subject to our client and engagement acceptance procedures as well as the negotiation, agreement, and execution of a specific engagement letter or contract. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.