enterprise risk management (erm) discussion · 2016-07-29 · enterprise risk management (erm)...

Enterprise Risk Management (ERM) Discussion American Gas Association Risk Management Committee Meeting July 25, 2016

Upload: others

Post on 25-May-2020




0 download


Enterprise Risk Management (ERM) Discussion

American Gas AssociationRisk Management Committee Meeting

July 25, 2016

2 Copyright © 2016 Deloitte Development LLC. All rights reserved.


• Discuss the value of ERM and board’s role in risk


• Highlight leading practices in board reporting

• Review hot topics for boards today

Value of ERM


4 Copyright © 2016 Deloitte Development LLC. All rights reserved.

“The potential for loss – or the diminished opportunity for gain –

caused by factors that can adversely affect the achievement of

a company’s objectives”

What is risk?

5 Copyright © 2016 Deloitte Development LLC. All rights reserved.

Risk types

Expected reward for risk(value to an organization for taking on risks)

Controllability(ability of organization to

minimize the risks)Less More



Imposed risks

Self-inflicted risks

Calculated risks

Board’s role in risk oversight


7 Copyright © 2016 Deloitte Development LLC. All rights reserved.

Key components of board’s risk oversight

What oversight ensures the strategy is executed? What shared values guide the organization?

How is risk measured and monitored? What infrastructure enables execution?

What vision drives the organization? What are the risks to the strategy and risks of the strategy?

How is risk managed? What are the principles that enable the organization to create, deliver and capture value?


8 Copyright © 2016 Deloitte Development LLC. All rights reserved.

Examples of risk oversight success factors

• Encompass the entire business

• Address the full spectrum of risks

• Understanding of company’s major risks

• Consider not just single events, but the interaction of multiple risks

• Clear direction on corporate risk appetite and how it applies to specific functional areas

• Consistent application of risk processes across functional areas

• Clear and transparent communication related to company enterprise risks

• Broad risk experience, with sufficient focus on appropriate data and reporting techniques to facilitate productive discussion

• Balance risk probability, vulnerability, and consequences

• Make strategic decisions that arise from risk-informed processes

Board reporting

10 Copyright © 2016 Deloitte Development LLC. All rights reserved.

Board committee reporting





A dedicated risk committee The Audit and Finance Committee

Report directly to the full Board Other

Source: Results from the roundtable poll conducted in preparation for the October 2015 P&U ERM Roundtable hosted by Deloitte- Total 40 respondents

11 Copyright © 2016 Deloitte Development LLC. All rights reserved.

Reporting frequency





Quarterly Semi-Annually Annually Other

Source: Results from the roundtable poll conducted in preparation for the October 2015 P&U ERM Roundtable hosted by Deloitte- Total 40 respondents

12 Copyright © 2016 Deloitte Development LLC. All rights reserved.

Report content





Risk Trends External orIndustryEvents

Risk Concepts EmergingRisks


Source: Results from the roundtable poll conducted in preparation for the October 2015 P&U ERM Roundtable hosted by Deloitte- Total 40 respondents

Board hot topics

14 Copyright © 2016 Deloitte Development LLC. All rights reserved.

• Focus on strategic risk

• Quantification of operational risk reduction efforts

• Understanding of risk culture

• Framing brand/reputation risk

• Clarity on cybersecurity risk

Board hot topics

Copyright © 2015 Deloitte Development LLC. All rights reserved.Strategic Risk Solutions 15 Copyright © 2016 Deloitte Development LLC. All rights reserved.

Strategic risk

Unclear what to look for

Signals often weak

Sources may be in other industries or geographies

Traditional tools and methods don’t reliably detect what’s “over the horizon”

No historical precedent

Strategic risks threaten to disrupt the assumptions at

the core of a company’s strategy (and strategic

objectives), and undermine a company's ability to achieve or maintain

exceptional performance

Copyright © 2015 Deloitte Development LLC. All rights reserved.Strategic Risk Solutions 16 Copyright © 2016 Deloitte Development LLC. All rights reserved.

Operational risk

Assuring that O&M and Capital asset investment decisions are optimal and defensible - to the company’s stakeholders (customers, employees, investors and regulators)

Showing that investments reduce risk(s)

Confirming that O&M and Capital investment decision-making process will achieve consistent outcomes

17 Copyright © 2016 Deloitte Development LLC. All rights reserved.

Risk culture

• Increased rate of employee turnover for Millennial generation is changing concept of employee “loyalty”

• Increased competition and cost constraints are exposing organizations to risk

• Unreasonable expectations (e.g., leadership, stakeholders, regulators, customers)

• Evolution of required competencies

As a result of changes in the marketplace and workforce, strong risk culture is increasingly more critical for success.


• Significant change to business model

• Reorganization/Right sizing

• Frequency of negative incidents and/or close calls

• Increased competition and cost constraints are exposing organizations to risk

• Frequency of regulatory violations


18 Copyright © 2016 Deloitte Development LLC. All rights reserved.

• 88% of companies rate reputation risk a critical or the most critical risk

• How companies rate themselves in managing reputation risk

• Most critical reputation risk elements are:

20% | Security 19% | Ethics/Integrity 16% | Product/Services

45% | Security 55% | Ethics/Integrity 43% | Product/Services

43% | Security 50% | Ethics/Integrity 40% | Product/Services

Yesterday Today Tomorrow

Brand/reputation risk

Source: Deloitte’s 2014 Global Survey on reputation risk

19 Copyright © 2016 Deloitte Development LLC. All rights reserved.

Brand/reputation risk (cont.)

†Respondents could choose more than one answer; the top three are shown above.

Companies feel most prepared to manage risks within their direct control…

… and least prepared for risks beyond their direct control †

69%Regulatory compliance

47%Third party/extended enterprise issue

68%Employee misconduct

44%Competitive tasks

66%Executive misconduct

44%Hazard or other catastrophe

Preparedness for risks that drive reputation†

20 Copyright © 2016 Deloitte Development LLC. All rights reserved.

• What is your cybersecurity risk profile?

• How do you define cybersecurity risk?

• Who owns the risk?

• What is ERM’s role in cybersecurity risk?

• Who and how frequently reports on the cybersecurity risk(s)?

• How do you assess that investments in your cybersecurity program reduce the risk?

• For what and how much of cybersecurity insurance do you need?

Common questions on cybersecurity risk

Copyright © 2016 Deloitte Development LLC. All rights reserved.21

Contact information

Asma QureshiSenior ManagerDeloitte Advisory, Strategic Risk

Deloitte & Touche LLP30 Rockefeller PlazaNew York, NY 10112-0015

Tel: +1 212 436 7659Mobile: +1 347 255 [email protected]

This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.

About DeloitteDeloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a detailed description of DTTL and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

Copyright © 2016 Deloitte Development LLC. All rights reserved.36 USC 220506Member of Deloitte Touche Tohmatsu Limited