Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.
Enterprise Risk Management
Managing Risk and Guiding Strategy July 25, 2017
Russ Hissom, CPA, CIA, CISA, CRMA, Partner
Agenda
Introduction
Overview of Enterprise Risk Management
ERM tools
Working together to identify risk
Strategic implementation of an ERM program
Practical application of ERM
2
About Baker Tilly
Baker Tilly offers an independent perspective to evaluating and implementing efficient business processes, financial analysis, and managing risk
80 year history of focusing on client needs and providing outstanding service
Top 15 accounting and advisory firm in the United states – deep resources to serve you!
Energy and Utilities Group serves nearly 400 utilities nationwide
3
Russ Hissom, CPA, CIA, CISA, CRMA, Partner Russ has served the utility industry for more than 30 years with consulting and compliance services. He has extensive experience with providing business advisory and internal audit services, technology needs assessments, workforce development planning, financial audits, enterprise risk management program implementation and financial and operational training for utilities.
Instructor Information
4
Three lines of defense in risk management
5
Enterprise risk management (ERM)
ERM universe
Risk identification
Cross-organizational
planning
Risk mitigation
Continuous refinement
6
Financial crash of 2007-2008
7 7
Collateralized Debt Obligations (CDO)’s (A)
Hedges to manage risk (B)
(A) + (B) caused the crash
8
Driving to an ERM solution
8
Natural disasters
Commodity/fuel risk
Portfolio risk
Business continuity
Safety
Compliance
9
Traditional risk management
9
Risk Management
Insurance
Fragmented
Events
10
Beyond business risk management
10
Good governance
Performance optimization
Systematic approach to risk management
Proactive not reactive
Strategy driven
11
Solution - Enterprise Risk Management
11
Every entity exists to provide value to its stakeholders
ERM enables management to deal with uncertainty and opportunity
Enterprise Risk Management is:
Process
People
Enterprise wide
Reasonable Assurance
Strategy
Objective achievement
12
13
Typical functions that use ERM
• Strategic planning - identifies external threats and competitive opportunities, along with strategic initiatives to address them
• Marketing - understands the target customer to ensure product/service alignment with customer requirements
• Compliance & Ethics - monitors compliance with code of conduct and directs fraud investigations
• Accounting / Financial compliance - directs the Sarbanes-Oxley Section 302 and 404 assessment, which identifies financial reporting risks
• Law Department - manages litigation and analyzes emerging legal trends that may impact the organization
• Insurance - ensures the proper insurance coverage for the organization
• Treasury - ensures cash is sufficient to meet business needs, while managing risk related to commodity pricing or foreign exchange
13
•Operational Quality Assurance - verifies operational output is within tolerances
•Operations management - ensures the business runs day-to-day and that related barriers are surfaced for resolution
•Credit - ensures any credit provided to customers is appropriate to their ability to pay
•Customer service - ensures customer complaints are handled promptly and root causes are reported to operations for resolution
•Internal audit - evaluates the effectiveness of each of the above risk functions and recommends improvements
14
A- Strategic- high-level goals, aligned with and supporting its mission B- Operations- effective and efficient use of resources C- Reporting- reliability of reporting D- Compliance- compliance with applicable laws and regulations
A
B
C
D
14
ERM is built on the COSO model
15
Relationship of objectives and components
15
Risk
Opportunity
Risk appetite
16 16
High
Medium
Low
Low Impact Medium Impact High Impact
Probability
Magnitude
18
Risk Universe
18
Risk universe
Business Risk
External
Strategy
Process
People
Reporting
Technology
19
External risk
20
• Legal & regulatory • Power & fuel costs • Customer
expectations • Economic
development • Regional markets • NERC requirements
External
Strategy risks
21
• Strategy direction • Strategy
implementation • Organizational
culture • Governance
Strategy
Process risk
22
• Operations – planning
• Operations – process
• Resource allocations
• Regulatory compliance
• Company change
Process
People
23
• Leadership • Governance • Skills • Culture of change • Accountability • Succession planning • Organizational
structure
People
Reporting
24
• Performance management
• Employee training • Financial • Budgeting • Rating agencies • Bond community
Reporting
Technology
25
• IT governance
• Infrastructure • Cybersecurity • Training • Personnel
Technology
Definitions, types of ERM frameworks and viewpoints
Business Strategy
& Objectives Risk Inventory Risk Tolerance
Risk Evaluation and Response Process
Document Risk and Magnitude
Document Response
Design & Implement Mitigation Controls
if Applicable
Monitor Risk and Mitigation
26
ERM phased approach
Phase 1 – Build the foundation
Phase 2 – Introduce to individual business segments
Phase 3 – Enterprise wide implementation
27
Phase I: Building a foundation for enterprise risk management
28
1. Awareness
2.Capability
3.Alignment
• Build risk management vision, strategy and awareness
• Build initial risk management foundation of structure, resources and operating model
• Align expectations through a risk management commitment
Objectives Executive level support, core team development, dept commitments
Phase 2: Segment level introduction
29
4.Engagement
5. Value
6. Operationalize
• Engagement in specific risk issues to help fulfill the risk management commitment
• Demonstrating tangible value from a disciplined risk management process
• Department-level personnel at all levels fully engaged in and operationalizing the risk management process
Objectives Specific direction & consistency
Phase 3: Functioning at enterprise level
30
7. Collaborate
8. Coordinate
9. Integrate
• Enhance ERM collaboration across other department teams to consider cross-department risk issues and interdependencies
• Enhance ERM coordination with other areas within the departments that focus on specific areas of risk exposure
• ERM is fully integrated with business planning, performance management, quality, and other key management processes
Objectives Departmental coordination, company-wide usage
High Risk, LowControl
Zone of BalancedRisks and Controls
Zone of BalancedRisks and Controls
Low Risk, HighControl
Roles of key organizational groups
32
Role of senior leadership
33
The Board’s role
34
Board oversight committees
35
Role of internal audit
Evaluate process
Give assurance on the process
Evaluate risk management
reporting
Evaluate process for
implementing ERM in strategy
Report to Governing
Body
36
ERM and compliance
37
38
ERM – An alternative view of governance
38
One utility’s experience with ERM
39
The process
Management • Recognition of need for on going risk
assessment and management
Board • Approval
Dept Heads • Buy-in and spread the word
Line workers
Facilitation process
Buy-in
40
41
Develop the risk universe
41
42
Risk frequency grid
42
43
Rating scale
43
44
Likelihood and impact grid
45
Voting results
45
46
Voting results
46
ERCOT and ERM
47
ERCOT approach
http://www.ercot.com/content/meetings/finance_audit/keydocs/2013/0513/2_Committee_Education_on_Enterprise_Risk_Management.pdf 48
ERCOT approach
49
ERCOT approach
50
ERCOT monitoring and risk mitigation
51
ERCOT approach to governance
http://www.ercot.com/content/meetings/board/keydocs/2006/0815/Item_14_-_Audit,_Compliance,_Incident_Response,_ERM_Update.pdf 52
Summary
53
Common challenges
54 54
Sustainable ERM
55
56
Questions?
56
58