Developing excellence in risk management frameworks

Greg Saunders

today’s presentation

• a catalyst on the horizon in the federal arena

• what is enterprise risk management (erm)

• fundamental concepts of erm

• why implement an erm framework

• erm vision

• risk ownership

• building a framework – the erm roadmap

• drivers of change

• early warnings

• key lessons

• a parting thought

“there are risk and costs to a programme of action but they are far less

than the long range risks and costs of comfortable inaction”

John F. Kennedy

cfar position paper november 2012

• engaging with risk is a necessary step in improving performance

• an overarching framework for handling risk across the commonwealth

would underpin the earned autonomy model

• ceo’s and directors as well as decision makers at different levels

should be made explicitly accountable in legislation for oversight and

management of risk

• legislative change would send an important signal that risk

management is a key responsibility and requires a commitment of

resources

a catalyst on the horizon

what is enterprise risk management?

“a process effected by an entity’s board of directors, management and

other personnel, applied in strategy setting across the enterprise,

designed to identify potential events that may affect the entity, and

manage risk to be within its risk appetite, to provide reasonable

assurance regarding the achievement of entity objectives”

coso definition

fundamental concepts of effective erm

• a process, ongoing and flowing through an entity

• effected by people at every level of an organisation

• applied in strategy setting

•applied across an enterprise, at every level and unit and includes

taking an entity-level portfolio view of risk

• designed to identify potential events affecting the entity and manage

risk within it risk appetite

• able to provide reasonable assurance to an entity’s management and

board

•geared to the achievement of objectives – it is a means to an end , not

the end in itself

why implement erm in your organisation?

• reduce unacceptable performance variability

• align and integrate varying views of risk management

• enhance governance arrangements

• successfully respond to a changing business environment

• align strategy and corporate culture

erm vision

• management define capabilities needed to implement erm

infrastructure

• organisations have different strategies, structure culture and appetite

for risk so no two approaches to managing risk are alike

• therefore the various capabilities supporting erm infrastructure may

differ

Building an erm framework• set the foundation

adopt common risk language

establish oversight and governance

• build capabilities

assess risk and develop responses

design / implement capabilities

Continuously improve capabilities

• enhance capabilities

quantify risk enterprise wide

improve enterprise performance

establish sustainable erm approach

erm framework components

• internal environment

• objective setting

• risk identification

• risk assessment

• risk response

• control activities

• information and communication

• monitoring

how it all fits together

Component of ERMFramework

Set Foundation Build Capabilities Enhance CapabilitiesAdopt Common Language

Establish Oversight and Governance

Assess risk and develop responses

Design/

Implement capabilities

Continuously improve capabilities

Quantify risk enterprise wide

Improve enterprise performance

Establish sustainable ERM approach

Internal environment

x x x x x x x x

Objective - setting

x x x x x x

Risk Identification

x x x x x x x

Risk Assessment

x x x x

Risk Response x x x x x x x

Control Activities

x x x x x x

Information and Communication

x x x x x x x x

Monitoring x x x x x x

The ERM Roadmap

Drivers of changeChange Enablement Priority Consequence if Unaddressed

Top management commitment and support No leadership or role models

Compelling business case for change No Action

Clear shared vision No direction or focus

Realistic goals No credibility or impact

Well defined action plan for change No roadmap

Stakeholder engagement and support No commitment or momentum

Accountability for results No ownership

Manage the “human side” and effective communications

No endorsement of change or consistency in execution

Process view of implementing change No systematic approach

Align performance measures No achievement of objectives or realisation of benefits

Align process with culture No success

Permanent Change Nothing Happens

risk ownership

• implementation of effective erm requires the identification of individual

risk owners

• ownership of process ownership for critical risks is one of the most

important tasks in implementing erm

• executive management ensures responsibility, authority and

accountability are defined and clearly articulated

• the risk owner has the responsibility, authority and accountability to

manage the risk

• risk owners may elect to outsource the responsibility, however if they

do that does not compromise their ownership of risk

early warnings

• visibility is the key

• well aggregated risk information across an organisation

• low and medium risk across a large part of an organisation is

something to worry about

• emerging risk – how do you know what might be coming

• are organisational reporting lines a barrier or an advantage

• denial is a potential indicator of something being broken

key lessons

• effective erm processes can assist with key decisions

• you can choose where to invest and what the implications are

• justifying a business cased based on risk will improve decision making

• effective erm will crystallise decision making

• erm must exist at all levels to know where to invest, how much to

invest and what will happen if you don’t

a parting thought

“Risk is good. The point of risk management is not to eliminate it, that

would eliminate reward. The point is to manage it, that is, to choose

where to place bets and where to avoid betting altogether”

Th. A Stewart – Managing Risk in the 21st Century

questions