accountants’ annual conference 2016 - nbaa · accountants’ annual conference 2016 ... risk...
TRANSCRIPT
Accountants’ Annual Conference 2016
Enterprise Risk Management: The Next Step in Business Management
CPA Emmanuel Johannes FCCA, CFE, CIA
3 December, 2016
Course AgendaIntroduction to the Risk Management framework according to ISO 31000• Concepts and definitions related to Risk
Management• Background information
ERM linked to Strategic Risk Management• Practical experience• Risk analysis and risk evaluation
Case Studies
What is RiskThe International Organization for Standardization (ISO)produced an internationally recognised standard on riskmanagement in 2009.
ISO 31000:2009, Risk management – Principles and guidelines redefines risk as: ‘the effect of uncertainty on objectives’.
Quick facts
• The concept of risk management developed steadily throughout the 20th century out of a combination of wars, weather-related disasters, mathematical theories and business imperatives.
• The title of chief risk officer was first used in 1993 by James Lam at GE Capital to describe a function that involved managing ‘all aspects of risk’
• Peter Bernstein, in his influential book Against the Gods: The Remarkable Story of Risk summarised this changed attitude: ‘If everything is a matter of luck, risk management is a meaningless exercise. Invoking luck obscures truth because it separates an event from its cause.’
Definition of ERM
“… Enterprise Risk Management (“ERM”) is a strategic business discipline that supports the achievement of an
organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an
interrelated risk portfolio.
‘Risk management is a process to identify, assess, manage and control potential events or situations to provide reasonable assurance regarding the achievement of the organisation’s
objectives.’ ACCA
Structure: Three parts
Principles Framework
Strategic level
Process
Operational level
Principles : Why risk management?
Framework : How to integrate risk management in the exiting management system?
Process : How to integrate risk management in the existing management practices and processes?
1.4/4.6
ISO 31000 RM Principles
For Risk management to be effective, an organisation should comply with below principles:
a) Create valueb) Be an integral part of organisational processesc) Be part of decision makingd) Explicitly address uncertaintye) Be systematic and structuredf) Be based on the best available informationg) Be tailoredh) Take into account human factorsi) Be transparent and inclusivej) Be dynamic, iterative and responsive to changek) Be capable of continual improvement and enhancement
b)
c)
d)
e)
f)
g)
h)
i)
j)
k)
a)
1.4/3.7
Strategic Risk Management• A comprehensive process to identify, evaluate and manage strategic risks to reduce
uncertainty AND maximize opportunities
• Guiding Principles of SRM:– Primary component of an organization’s ERM process– Ultimate goal is protecting and enhancing shareholder value– Effected by boards of directors, executive management and others– A strategic approach to risk and managing uncertainty is necessary to achieve company objectives– Continuous process
Frequency & Severity
Related Impacts Interdependencies
Risk Profile Informed Decisions
Assess Analyze
Retain/Finance Or Transfer
Corporate Tolerance Risk/Opportunity
Mitigate/ControlIdentify
Align to Corporate Objectives
Monitor/Report
Adapt/Improve
12
Extended Enterprise & Value Chain
Setting strategy, objectives, tone, policies, risk appetite
and accountabilities; monitoring performance.
Operating in accordance with objectives;
ensuring adherence to laws and regulations, internal policies and
procedures, and stakeholder commitments.
Identifying and assessing risks that may
affect the ability to achieve objectives; determining risk response strategies
and control activities.
Establishing Context
New Strategy & Risks
Maximizing return on capital
Business Planning & Strategy Long term growth in shareholder
value
Risk Framework, Control & Monitoring
Optimizing volume and profitability
Operational & Change Mgmt (Systems, Processes, People)
10
Risk Strategy
Capital Management,
Business Performance Monitoring
Economic Capital
Allocation
Market, product, customer,
operational strategy
New ventures, risk/capital
impact
Compliance to
Regulations Corporate governance
Risk Identification
& Assessment
Maximizing operational cost
effectiveness
Projects (Objectives, Resources, Risk, Capital)
Strategic Risk Management Process
“A company needs to makes money and creates value by taking intelligent risks and loses money or gets in trouble by failing to manage risk effectively.”
Why Integrate ERM with Strategy?
14
Bill Gates, Microsoft and the success of Windows
Bill Gates founded Microsoft with Paul Allen in 1975. In the early years their main product was the operating system MS-DOS, which they developed initially for IBM computers but were also able to sell independently. Although the performance of MS-DOS was poor, it was quite successful because of its low price and compatibility.
Allen left Microsoft in 1982 because of health problems. By 1985 Gates faced a key decision. MS-DOS was a slow system and was unable to make use of some major innovations in hardware, so it was only a matter of time before it was out-competed by other systems.
Because of the strong uncertainty in the operating software sector at the time, reliable foresight was not possible. This was a classic risk dilemma. Gates had several possibilities: sell Microsoft to one of its competitors; exit the operating systems market and focus on developing applied solutions; or invest in a new operating system.
This last option carried the greatest downside risk: it was expensive, the resources of Microsoft at the time were small compared with competitors like IBM and Apple; and failure would have meant the end of the company. But it also offered significant opportunities: there was no technical standard set for the new generation of computer systems and if Microsoft could achieve ‘first-mover’ status it would be able to secure long-term monopoly revenues.
Gates was not reckless; he hedged his bets for some time: for example, by starting a joint venture with IBM and also developing some applications for the Apple operating system. However, he did invest in the development of the Windows system. Although in the first years Windows sold poorly and suffered some serious technical flaws, by the early 1990s it turned out to be the lead product in the operating systems market, defining the new technical standard. Microsoft Windows came to dominate the world’s personal computer market with over 90% market share.
Internal Forces “Enabling Activities”
External Pressures
Strategic Process
Board of Directors
Political
Strategy
Cultural
Appetite
Tolerance
Ethics
Objectives
ShareholderExpectations Regulators Rating Agencies Stakeholders
Info
rmat
ion G
uidance
Risk
Opportunity
ERMProcess
Protect and Enhance Shareholder Value
Board & Executive Engagement
Company Strategy“We are focused on achieving strong, long-term financial performance by…”
“Our future results of operations are subject to anumber of risks and uncertainties. These risksand uncertainties could cause actual results todiffer materially from historical and currentresults and from our projections…”
Corporate Governance“…lead the Board, particularly as it focuses on strategic risks and opportunities facingthe Company.”
Risk Oversight“One of the functions of the Board is oversight of risks inherent in the operation of theCompany’s business. The Board fulfills this function through reports from officers foroversight of particular risks within the Company, through legal review of the Company’sstrategic plan, and through delegation of certain risk oversight functions…”
Strategic Risk Management• A comprehensive process to identify, evaluate and manage strategic risks to reduce
uncertainty AND maximize opportunities
• Guiding Principles of SRM:– Primary component of an organization’s ERM process– Ultimate goal is protecting and enhancing shareholder value– Effected by boards of directors, executive management and others– A strategic approach to risk and managing uncertainty is necessary to achieve company objectives– Continuous process
Frequency & Severity
Related Impacts Interdependencies
Risk Profile
Informed Decisions
Assess Analyze
Retain/Finance Or Transfer
Corporate Tolerance Risk/Opportunity
Mitigate/ControlIdentifyAlign to
Corporate Objectives
Monitor/Report
Adapt/Improve
Culture: Enabling Activities: “Become a part of the company’s DNA”
Mission: Protect and enhance shareholder value
Infrastructure
Vision/GoalsGovernanceOversight structureCommon languagePoliciesTechnologyToolsTechniquesTolerance/appetiteMonte Carlo simulation
Process Integration
OperationalprocessesStrategic planningQuality processCompetency modelsProduct developmentCapital projectsPerformance management
The Paychex ERM Framework
Identify Risks & Opportunities
Businessgoals,
objectivesand
strategies
Assess Risks & Opportunities
Develop Action Plans
Implement Strategy
Integrate Results
Monitor & Report Results
•Risk management is recognized as a key contributor to value creation.
•The risk culture is defined and enshrined to give managers and employees the requisite freedom of maneuver.
•An awareness of risk and the need to manage it pervades the enterprise.
•Risks are identified, reported, and quantified to the greatest possible extent.
•Equal attention is paid to both quantifiable and unquantifiable risks.
•Risk management is everyone’s responsibility and is not fragmented into compartments and silos.
•The enterprise avoids products and businesses it does not understand.
•Scenario planning embraces uncertainty and considers all possible developments.
19
Example ERM Framework
20
Identify & Assess RiskIdentifying the effectiveness of processes and controls via interactive participation with subject matter experts.
Step 1: Pre-work:
• Top-ranked risks are identified and reviewed to assess counter-measures
• Key risks are identified and better understood creating awareness and accountability
• Business unit identifies risks associated with operational errors. • Voting technology is utilized to score/rank the risks
Step 2: Workshop
Step 3: Mitigation Step 4: Results
Impa
ct
Likelihood
Operating Risk
Vendor Failure
Failed Systems
Human Error
Failed Processes
Internal Fraud
Interactive Risk Assessments
Assurance of preparedness
Redeploy resources
Enhance risk mitigation
Measure for cumulative impact
Impa
ct
Vulnerability
5
4
3
2
1 2 3 4 5
15
2
3
456
7
8
9
10
11
12
1314
1
Possible - “might” happen (future knowledge)
Plausible - “could” happen (current knowledge)
Distance into the future
Uncertainty
Predictability
F S H
Forecasting Scenario Planning “Hoping”
Ranges of Usefulness
time
U
Risk Scenario Planning“The present moment used to be the unimaginable future”
Probable - “likely to” happen (current trends)
Preferable - “want to” happen (value judgements)
Results – what happened after mitigationResults – what happened after mitigation
Key Risks Detail
Primary Organization Owner(s) - Risk Management
Risk Type - (K) Known
Primary IndicatorsBad debt write-offs, National Economic Indicators,regional/industry factors, credit agency
Mitigation Strategies•Branch and client transaction thresholds•Credit bureau monitoring; consumer and commercial creditreview•Credit policies, including secured funding and security deposits•Monitoring for credit deterioration, industry/economic data andbankruptcy•Allowance for doubtful accounts (reserve)•Fraud industry coalition
1.
Primary Organization Owner(s) – Risk Management
Risk Type - U1 (Unknown)
Primary IndicatorsRegulatory activity, laws enacted, warranties/penalties, lawsuits,enforcement activity, regulatory inquiries
Mitigation Strategies•Monitoring enforcement trends, relevant publications and industrynews•Strong regulatory agency relationships•Ongoing review and audit of compliance•Increased training for applicable personnel•Change management control process
.
2. Risk DescriptionRisk of financial loss due to client defaults, dependencies on bankingpartner lines of credit. The case of Treasury Registrar and liquidity inTanzania
Credit1. Risk DescriptionMaintaining compliance for all products and services with applicable laws and regulations; ensuring timeliness and accuracy of regulatory change on Paychex platforms
Regulatory Compliance2.
22
Providing the Board and senior management with greater risk transparency
Compliance with risk policies and regulations• Exposures vs. policy limits • Regulatory compliance
Earnings-at-risk• Major internal drivers• Key external variables
Risk/return performance tracking• Business units• Customer segments• Products
Real time risk reporting• One touch visibility• Drill down capabilities• 24x7 escalation• Early warning signals
ERM Dashboards
The discipline of risk management has
evolved from strictly a value preservation-
based focus to a balanced focus
between protecting assets and creating or
enhancing value.
OperatingRisk
Credit Risk
Model Risk
Entrepreneurial Risk
Regulatory Compliance Risk
Future/White Space
•Target Models (3B); Lifetime Value Models•Churn Models; Discount Engine Models•Upsell Models; Sales Territory Models
Risk Management
A flexible and dynamic risk management
discipline is uniquely positioned to quickly adapt to change and identify opportunistic
risk to create new streams of revenue and increase value
Value Preservation to Value Creation
Example: Brexit The UK’s referendum on membership of the European Union (EU) in June 2016 resulted in a
majority of British citizens voting to leave. The implications for businesses are unclear and are
likely to remain so for some time; it will take many years for the UK to disentangle from the EU.
Brexit is an excellent example of uncertainty providing both threats and opportunities to
businesses. Consider the travel and leisure industry. The fall in the value of sterling after the
referendum result might reduce demand by travellers for holidays abroad as costs go up, but it is
likely to be good news for hotels, restaurants and tour companies providing holidays in the UK as
foreign tourist spending is set to surge.
All organisations should be trying to identify and assess their own areas of exposure to Brexit risks. A failure to do so smacks of complacency and could be damaging. The sudden collapse into administration of Lowcost Travel Group in July 2016 illustrates the risk of Brexit.
Avoid a tick-box attitude
Finally, a word of warning for those accountants in larger organisations
looking to put in place comprehensive, detailed risk management
systems, including policies, registers and regular reporting. These
systems will not be sufficient to drive improvements or add value unless
they are accompanied by intelligent review and analysis of what the data
is saying about the business and its risk profile. There is a danger of
becoming obsessed with the detail of the process, where the focus is
hitting reporting deadlines in order to tick a box. This is not effective risk
management.
Conclusion
.Risk affects all organizations. It can have far-reaching consequences in terms of economic performance, environmental and safety outcomes, and professional reputation. Managing risk effectively and risk optimization, therefore, will help enterprises of all sizes and in all business sectors to perform well in an increasingly uncertain environment.
http://www.accaglobal.com/uk/en/technical-activities/technical-resources-search/2016/october/tf-effective-risk-management.html