University System of Georgia Enterprise Risk Management (ERM)
Enterprise Risk Management (ERM) - chapters.theiia.org · Enterprise Risk Management (ERM) - Impact...
Transcript of Enterprise Risk Management (ERM) - chapters.theiia.org · Enterprise Risk Management (ERM) - Impact...
Enterprise Risk Management (ERM) -Impact of 2017 COSO ERM Model
Institute of Internal Auditors, Detroit Chapter Meeting
February 2019
Agenda
• The context for the COSO update − Connecting strategy, risk and performance
• Summary of key COSO 2017 changes
• Impact on current ERM practices
• Closing thoughts− Keys to long-term ERM success
• Questions
5© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
5© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
If you aren’t constantly assessing strategy and risk, and adjusting as you go, there’s no way you’re keeping pace as a business or a board.
The context for the COSO update
- Public Company Director, KPMG’s Global Boardroom Insights
6© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
6© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Change is moving faster than ever…
Regulations and Policies
Designed to protect the way the world worked in the 20th
century, regulations have not evolved to today’sworld.
Business Models & Strategies
Those developed in the ‘Industrial Age’ are being challenged by companies that leverage technology and agile business models to meet the demands of today’s marketplace andcustomers.
Customer Behavior
Behavior is changing due to demographic shifts and economic
conditions are rippling through
sectors.
Exponential Technologies
Fortune 500companies are struggling
to adopt and implementtechnology enablers to
meet changing demand.
The context for the COSO update
7© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Changing household makeups and an increase in
the number of single households is impacting the way consumers spend and
shop
165%
increase in number of
single householdssince ‘70s
Macrotrends are changing behaviors…
Urbanization increases consumer demand for alternative
channels for purchasing all products, including oral care
products and services
Large demographic shifts are driving change in customer preferences,expectations, and spending behavior across all industries…
Boomers are entering retirement, and the aging population is expected to drive a large increase in
healthcare expenditure
…impacting people’s preferences aroundproducts, convenience, and how they go about purchasing
1 in 3 adults will be a
millennial by 2020
Millennials are entering their prime spending years, and
will have a significant impact on the market and
purchasing behavior and preferences
By 2030,the world’s 65+ population will
double to
1 billion60%of the world’s population is
expected to live in cities by 2030
The context for the COSO update
8© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Technology is the great accelerator…
Technology is changing people’s behavior
Technology is enabling new business models
72%Percent of U.S.
adults own a smartphone, and the average consumer checks their phone
every six minutes
Digital path topurchase
Enhanced customerexperience
Customization
Tech giants
Startups
The Internet of Things
The context for the COSO update
9© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
CEO’s aware and concerned…
Source: KPMG CEO Study “Setting the course for growth: CEO Perspectives ”
The context for the COSO update
10© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Governance
Adhere to better practice principles of corporate governance (COSO ERM Framework, NACD ”core principles” etc.)
Meet rating agency expectations
Federal sentencing guidelines principles - foundation for effective corporate compliance
Strategy
Provide a competitive advantage versus industry peers
Link strategic planning objectives to enterprise risks to align key priorities with senior management
Operational Performance
Provide greater transparency on events that impact desired performance
Enhance ability to meet goals through targeted action and clear accountability
Supports an organization-wide “Risk-Aware” culture
Better leverage of supporting systems and tools to optimize operational effectiveness
By evaluating the threats and opportunities to strategy and objectives, ERM closely links risk, strategy, and performance, enabling management to make more informed decisions
Governance
Strategy
Operational Performance
Why ERM and where does COSO fit in?The context for the COSO update
11© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Connecting strategy and riskInnovating and pursuing opportunity while balancing upside and downside
Financial Performance Targets
Markets
Propositions and Brands
Clients and Channels
Core Business
Processes
Operational & Technology
Infrastructure
Organizational Structure, Governance, Risk &
Controls
People and Culture
Measures and Incentives
Business model
Growth
Profitability
Liquidity
Leverage
Operating model cost
— Acquisitions
— Pricing
— New markets
— New products
Risks to Strategy
— Natural hazards
— Commodity prices
— Geopolitical events
— Cyber attack
External Risks
— Regulatory violations
— Quality issues
— Technology and data events
— Resource shortages
Internal Risks
Focus of the majority of today’sERM programs is value
preservation, not value creation
The context for the COSO update
13© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
COSO 2017 – headlinesThe new COSO ERM Framework titled Enterprise Risk Management—Integrating with Strategy and Performance is an update to the 2004 publication (Enterprise Risk Management—Integrated Framework).
The update:
• addresses advancements made in ERM practices since 2004
• acknowledges the evolving business environment and the need for enhanced ERM strategies and processes
• highlights the need to consider risk to strategy (strategy-setting process and strategy execution)
Source: Enterprise Risk Management–Integrating with Strategy and Performance, Executive Summary, COSO, (2017)
Summary of key COSO 2017 changes
14© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
COSO 2017 – headlines
The updated document:
• Describes the five new Framework components and 20 underlying principles. It also includes a graphic that illustrates how these components and principles interact
• Provides an updated definition of enterprise risk management
• Highlights the role of ERM in not just preserving value, but also creating value. It elevates discussion of strategy and link to performance management
• Links ERM and decision-making activities
• Encourages the integration of ERM as part of the management of an organization as opposed to a siloed activity
• Examines how organization culture can influence the effectiveness of ERM
• Enhances the concepts of risk appetite and tolerance
Uncertainty that matters….
[Risk is] …“the possibility that events will occur and affect the achievement of
strategy and business objectives.”…
…[Enterprise Risk Management is]…“the culture, capabilities, and practices, integrated with
strategy setting and performance, that
organizations rely on to manage risk in creating, preserving and realizing
value.”
Source: Enterprise Risk Management –Integrating Strategy with Performance, June
2017
Summary of key COSO 2017 changes
15© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Source: Enterprise Risk Management–Integrating with Strategy and Performance, Frequently Asked Questions, COSO, (2017)
• The new ERM Framework and the Internal Control Framework complement each other, with neither superseding the other
• The updated ERM Framework describes areas that go beyond internal control; however, the Internal Control–Integrated Framework remains a viable and suitable framework for designing, implementing, and conducting and assessing the effectiveness of internal control and for reporting, as required in some jurisdictions
Link to the COSO's 2013 Internal Control–Integrated Framework
Summary of key COSO 2017 changes
17© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
ERM framework components
Risk Strategy and Appetite Risk Governance Risk Culture
Risk Assessment and
Measurement
Risk Management and
MonitoringRisk Reporting
and InsightsData and
Technology
Linkage to corporate strategy
Board Oversight and Committee
Knowledge and Understanding
Risk Definition and taxonomy
Risk Mitigation, Response and Action Plans
Risk Reporting Data Qualityand Governance
Risk StrategyCompany Risk
Operating Structure
Belief and Commitment Risk Identification
Testing, Validation and Management’s
Assurance
Business/Operational
RequirementsRisk Analytics
Risk Appetite and Tolerance
Risk Guidance
Competencies and Context
Assessment and Prioritization Monitoring
Board and Senior Management Requirements
Technology Enablement
Roles and Responsibilities
Action and Determination
Quantitative Methods and
Modeling
Risk in Projects/Initiatives
External Requirements
DecisionSupport
Risk Aggregation,Correlation and Concentration
Scenario Analysis and Stress
Testing
Capital and Performance Management
Impact on current ERM practices
18© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Common areas of current ERM focus
Risk governance- “Guiding principles” and rationale for ERM
- ‘Plain English’ risk program policy/ strategy
- Clear roles and responsibilities that support engagement (linked to 3LOD)
ERM framework areas where we see companies investing to connect better connect risk and strategy and to drive ERM into the business:
Risk appetite framework and tools- Risk aligned to the strategy process
- Risk appetite articulated and risk thresholds/ guardrails
built into reporting and decision making
- Scenario analysis and risk interconnectivity (acknowledging that risks events do not occur in silos)
Risk culture- Understanding risk culture and its impact on decision making across the organization
- Targeted risk communication, awareness and training
- Risk linked to performance management processes
Impact on current ERM practices
19© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Risk governance – 3LOD
Three lines of defense model:
— IA is a 3rd line function –sufficient independence for objective oversight of risk management
— ERM is primarily a 2nd
line function -some activities in the 1st line or in the 3rd line
RISK PROCESS AND CONTENT Monitoring
3rdLINE OF DEFENSE
Ass
ura
nce
P
rovi
der
s
Risk Governance
Assu
rance
Pro
viders
RISK PROCESSAccountability
2ndLINE OF DEFENSE
RISK CONTENTAccountability
1stLINE OF DEFENSE
Sta
nd
ard
S
ette
rs
Stan
dard
S
etters
Bu
sin
ess
Ow
ner
s
Bu
siness
Ow
ners
Impact on current ERM practices
20© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
2nd line Oversight of risk
1st line Management of
risk
Distributed, dedicated team, great proximity,
coach.
Aligned agency, on the ground to
drive
Partner from center.Potential for
advice model
Entirely Centralised 2nd
line, 1st line is self sufficient, little
proximity
2nd line provides advice,
training,consultancy
1st line are Experiencedpractitionersself-sufficient
•Typical activities:
• Proposal of risk appetite & risk policies
• Monitoring adherence to risk limits
• Reviewing and monitoring specific risk policies
• Portfolio monitoring and review
• Risk approval of transactions within specified limits and mandates
• Cascade of board approved risk limits into specific limits to business activities.
• Assurance and thematic review
• Teaching, training, coaching
1st and 2nd line relationships can change based on maturity factors:
• extent of 1st line skills and experience
• recent issues or losses
• regulatory attention
• other strategic change/ risk factors (i.e. off-shoring, restructuring, acquiring new businesses)
Risk governance – 3LODImpact on current ERM practices
21© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Actual risk profile
What does the company’s risk profile look like given the current state of risk strategies and plans?
Risk appetite framework and toolsRisk appetite
How much risk is the company willing to accept in pursuit of value and growth?
Risk-taking capacity
What is the maximum risk that the company can possibly take, given appetite, linked to available capital or equity, liquid assets, borrowing capacity, resources?
Target risk profile
Given the risk appetite and capacity, what should the company’s risk profile look like, considering business objectives and external perceptions?
Impact on current ERM practices
22© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Risk category
Financial Risk
People Risk
Risk type
Interest Rate
Inflation
Default
Credit
Risk tolerance/limit
AssetQuality
BU
Avg. credit rating
Aged debt report %> 30 days
Counter-party
Minimum financial strength
Credit rating
A
20%
A-
Type Measure Limit
Cre
dit
Risk appetite
Business plan Operational Risk
People
Technology
Procurement
BusinessContinuity
Contracts
Catastrophe
Reserving
Concentration
Conduct
Training
Instances of misconduct
Training sessions attended
TurnoverNumber of resourcesResigning in a year
X
X per year
X or X%
Type Measure Limit
Peo
ple
Quake
All Perils
1 in 250 year peak peril
In X years
Wind 1 in 100 year peak peril
$X
Lower of $X
$X
Type Measure Limit
Cat
astr
op
he
Risk appetite framework and toolsImpact on current ERM practices
23© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Risk appetite framework and toolsImpact on current ERM practices
24© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Risk culture – what is below the surface?Impact on current ERM practices
25© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Risk culture - conceptual frameworkImpact on current ERM practices
27© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Future-focused ERM
content
Single view of risk
“appetite”
Tailored, proportionate ERM process
Efficient and aligned
governance, risk, and
compliance activities
Achieving a successful ERM program requires a holistic and integrated approach to managing risk, and can be accomplished through the following, as highlighted in our latest ERM thought leadership piece.
Enterprise risk management: Protecting
and enhancing value
Keys to long-term ERM successClosing thoughts
Thank you
Sarah Ann Moore, Director
Internal Audit and Enterprise Risk, KPMG
Tel: 312 550 6750
The KPMG name and logo are registered trademarks or trademarks of KPMG International.
© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.
kpmg.com/socialmedia
KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity, and is in all respects subject to our client and engagement acceptance procedures as well as the negotiation, agreement, and execution of a specific engagement letter or contract. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.