Enterprise Risk ManagementExpectations Outpacing Capabilities andThe Audit Committee’s Role
July 30, 2013Presented by: Suzette E. Ramsden (B.Sc., CISA, CBRA, CRMA)
Caribbean Association of Audit Committee Members Inc.7th Annual General Meeting and Conference“Governance, Audit and Compliance: Changing the Way We Do BusinessHilton Trinidad Hotel & Conference Centre: July 29-30, 2013
Enterprise Risk ManagementExpectations Outpacing Capabilities andThe Audit Committee’s Role
July 30, 2013Presented by: Suzette E. Ramsden (B.Sc., CISA, CBRA, CRMA)
Caribbean Association of Audit Committee Members Inc.7th Annual General Meeting and Conference“Governance, Audit and Compliance: Changing the Way We Do BusinessHilton Trinidad Hotel & Conference Centre: July 29-30, 2013
Enterprise-Wide Risk Management
2
“Enterprise Risk Management is a process, effected by the entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within the risk appetite, to provide reasonable assurance regarding the achievement of objectives”
COSO’s Enterprise Risk Management – Integrated Framework (2004)
ERM in Today’s Global Economy
3
“Risk Management is at the top of the global executive agenda as companies face an array of threats that grow more complex
by the day. The risks are multitudinous and ever-present, andthose companies that fail to manage them well imperil their future”
Keeping Pace
4
“…challenges are growing faster than most organizations’abilities to respond: today’s complex environment requires an
even stronger capability to master and optimize Risk Management.”
ChallengesAbility
Contributors
5
Risk Management capabilities are not advancing fast enough
Significant gaps and weaknesses in the management of Enterprise Risk
Inability to manage risk in an integrated and holistic way
Constantly Evolving
6
“When Risk Management is a strategic tool, the risk program and profile will constantly evolve..”
ModelsRelevant to new Economic Environment
EnsureRisk Programsdon’t go stale
Risk-Savvy
Shift in the Aftermath
7
In the aftermath of the Global Financial Storm
Risk-AverseRisk-Taking
Unmanaged Risk
RiskPrograms
Ever-ExpandingEconomy
StagnantEconomies
Although the ultimate accountability for Risk Management performance remains with the Board of Directors, boards are increasingly looking to
board committees to provide assurance regarding the status of the organization’s Risk management processes
Audit Committee Charter
ERM Roles
8
Provide assurance regarding the status of the organization’s Risk Management processes; that they are active, credible and effective.
An independent, objective assurance and consulting activity to provide objective assurance to the board on the effectiveness of Risk Management.
Oversight - Effectively oversee the organization’s Enterprise-Wide Risk Management.
Board of Directors
Audit Committee
Internal Audit
Audit Committee Agenda
9
SO...What should audit committees look for in a company’s Enterprise-Wide Risk Management endeavours to ensure abilities are not lagging behind expectations?
Intersection of Strategy and Risk
10
Enterprise Risk Management resources and actions must be integrated into Strategic Planning process
Tool for collaborative decision-making embedded into managementroutines suchas strategicplanning
Engaging in discussion and dialogue with designated risk owners (senior mgnt) tokeep abreast of emerging risks
Assessing Risk Exposures
11
Is your organization conducting regular top down and middle-up assessments and alignment of them to create a comprehensive
risk profile of the enterprise?
Is Management focusing on those lower level operational risk that could frustrate accomplishment of the Board’s objectives for the
company ?
Are risks being aggregated and the inter-relationships identified to have a clear understanding of the velocity at which risks may
occur.
Is guidance provided to the business units and functional groups to ensure that they have a consistent approach that is focused on
business objectives?
Ensure consistency in the way risk is being assessed across the enterprise
Articulate Risk Appetite
12
Ris
k A
pp
etit
e
Aggregate risk exposure
monitored in monetary terms
Stress-test the resilience of their balance sheets
by calculating the monetary value at which
solvency would be jeopardized.
How do you know whether you have taken too much or not enough risk
Risk appetite embedded into the business units and functional areas
Calculate themonetary value at
which a loss or risk event would
jeopardize its credit rating
Develop a formal Risk Appetite Statement
Three Lines of Defense
13
Enhance Risk Management via Business Units, Risk & Compliance and Internal Audit functions
3322
Internal AuditRisk & Compliance
Business Unit
Are Risk Management capabilities keeping pace with the changing needs
of the enterprise and expectations of stakeholders?
Is consistent risk training being conducted across
your three lines of defense?
Are processes and technologies in place to
monitor and measure risk in a way that get the
three lines of defense closer in
alignment?
Is risk information between lines of defense visible, freely shared and
communicated tosupport
dependencies?
Do your Board, shareholders and
regulators understand your risk program?
Is Risk Management embedded in business
processes in a waythat enhances transparency?
Barriers to Convergence
14
Resources must be adequate to facilitate convergence or integration of risk and control functions
Risk and control silos
Obstructed flow of risk
information
Changing goals and less clarity of
risk data
Duplication and redundancy
Insufficient numbers of
people
Lack of skills and human talent
Absence of technology
enablers
Lagging governance structures
Stagnant risk andcontrol oversight
functions
Lack of executive support
Creating a Risk-Resilient Culture:A call to action
15
RiskManagementFramework
RiskResilientCulture
RiskGovernance
Structure
Key Questions• How do you establish
stakeholders’ expectations?• How do you communicate
Risk Management to the organization?
• How do you ensure that these Risk Management
expectations are followed?
How can KPMG Help
16
Use risk and control information to improve performanceRisk and Control Optimization
Report, monitor, and conduct activities to provide insights into risk management strengths and weaknesses
Risk Monitoringand Reporting
Measure, analyze, and consolidate enterprise risksRisk Quantification and Aggregation
Identify, assess, and categorize risks across the enterpriseRisk Assessment
Establish an approach to developing, supporting, and embedding the risk strategy and accountabilities
Risk Governance
DescriptionDescriptionFramework Framework ElementElement
Use risk and control information to improve performanceRisk and Control Optimization
Report, monitor, and conduct activities to provide insights into risk management strengths and weaknesses
Risk Monitoringand Reporting
Measure, analyze, and consolidate enterprise risksRisk Quantification and Aggregation
Identify, assess, and categorize risks across the enterpriseRisk Assessment
Establish an approach to developing, supporting, and embedding the risk strategy and accountabilities
Risk Governance
DescriptionDescriptionFramework Framework ElementElement
KPMG Contact Information
17
Robert AlleyneManaging [email protected]
KPMG69-71 Edward StreetPort-of-SpainTrinidad and Tobago
Dushyant SookramPartner, [email protected]
KPMG69-71 Edward StreetPort-of-SpainTrinidad and Tobago
Neil BholaManager, [email protected]
KPMG69-71 Edward StreetPort-of-SpainTrinidad and Tobago
Suzette RamsdenManager, [email protected]
KPMG69-71 Edward StreetPort-of-SpainTrinidad and Tobago
Top Related