survey adr risk management effectiveness

8/12/2019 SURVEY ADR Risk Management Effectiveness

http://slidepdf.com/reader/full/survey-adr-risk-management-effectiveness 1/34

™

Risk Management Effectiveness

Survey Results

March 2011

CORPORATE INTEGRITY PRACTICE

Audit Director Roundtable



DEMOGRAPHICS

2

Respondents by Geography Respondents by Industry

n = 151

n = 151

United States56%

Europe(Other)14%

United

Kingdom9%

Canada8%

Australia8%

South Africa3%

Other 2%

1

1

2

3

3

3

3

4

4

4

4

4

5

5

5

5

6

6

6

6

7

8

13

14

14

15

Agriculture

Real Estate

Automotive & Transport

Other

Computer Hardware

Media

Construction

Computer Software

Industrial Manufacturing

Pharmaceuticals

Transportation Services

Leisure

Chemicals

Consumer Products Manufacturers

Electronics

Telecommunications Services

Government

Food & Beverages

Aerospace & Defense

Business Services

Metals & Mining

Retail

Energy & Utilities

Insurance

Health Care

Financial Services



Executive

SummaryState of Risk

Management

Role of

Internal Audit

ROAD MAP FOR THE PRESENTATION

Risk

Management

Effectiveness Appendix

4



Executive


Management

Role of

Internal Audit


Risk

Management


6



PRIORITIES FOR ERMThe priorities for ERM in 2011 are highly strategic in nature. More than half (56%) of respondents are progressing towards

aligning their risk management approach with the company‟s strategic objectives. In addition, 52 percent of respondents

identify enhancing risk culture across the organization as a priority, and 49 percent of respondents indicate embedding risk

management in the organization's day-to-day operations as a priority.

56%

52%49%

43%

21%

11%8%

Align risk managementapproach with

organization‟s strategicobjectives

Enhance risk cultureacross organization

Integrate and embedERM into the

organization's day-to-day operations

Identify key risks whicha company should

manage

Implement initiatives tocommunicate ERM

initiatives to allpersonnel in the

organization

Increase resourcesdedicated to risk

management

Other

What are your organization‟s ERM priorities in the coming year?

8

n = 141

Multiple Responses Allowed

SELECTED ROUNDTABLE SUPPORT

AXA- Evaluating Objectives from Top-down and Bottom-up

Evaluate strategies and objectives with a hybrid top-down/bottom-up

approach.

We are revising our Internal Audit risk assessment process to begin

with the strategic goals/objectives of the organization, and then to

determine what are the key risks in meeting those goals/objectives,

and then determining what are the key controls that are mitigatingeach of those key risks.

- Auditor General, Fortune 500

https://audit.executiveboard.com/Members/Popup/Download.aspx?cid=100233456&s=stc











BARRIERS FOR ERM

What are the main barriers to implementing ERM in your organization?

Others Include:

• Organizational

Priorities

• Poor Risk Culture

• Size andDiversity

The most frequently cited barriers to implementing ERM are 1) demonstrating value of ERM, 2) lack of internal resources, and

3) organizational structure. While the adoption of ERM has gained greater importance and recognition, many organizations still

find it hard to get adequate support from the senior management.

9

n = 145

Multiple Responses Allowed


Hayes Lemmerz - Risk Management Pilot Program

Securing executive buy-in for risk management is the most crucial

step in risk management implementation. Internal Audit at Hayes

Lemmerz led a pilot risk assessment to convince senior

management of the value of risk management.

In order to be successful, you need a well defined ownership of risk,a formal process for risk identification, and finally consistent internal

procedures for risk communication including follow-up.

- Internal Audit, Manufacturing

51%

38% 37%

28%

21% 21% 20%

11%

Demonstrating

value of ERM

Lack of internal

resources

Organizational

structure

Risk knowledge

and skills

Risk awareness Risk

communication

Risk methodology Other

https://www.audit.executiveboard.com/Members/ResearchAndTools/Abstract.aspx?cid=100074867







RISK GOVERNANCESimilar to risk ownership, „Overall Effectiveness‟ is not statistically related to who the ERM function reports to; therefore,

companies should focus more on creating mature ERM processes and less on the reporting relationship of the ERM function.*

n = 136

Who does your ERM function report into?

Others Include:

• Head of Operations

• Legal• Compliance

• Parent Company

36%

25%

16%

9% 6%4% 4%

Audit Committee Risk ManagementCommittee

Board of Directors Other Board LevelCommittees

CFO CEO Others

SELECTED ROUNDTABLE SUPPORTDelta Air Lines - Risk Councils

Delta Air Lines formed its Risk Council by bringing

representatives of various groups together to discuss the

cross-functional impact of risks. This helps in creating a

breakdown of departmental risks across the enterprise.

Our Audit Committee oversees the ERM process and isupdated on financial reporting related risks. But the entire

Board also receives an annual comprehensive ERM report

and periodic updates. This reflects the comprehensive

nature of our ERM process, and the AC's unique

qualification regarding risk management processes.

- Vice President Corporate Audit, Fortune 500

12*Analysis in Appendix

https://audit.executiveboard.com/Members/ResearchAndTools/Abstract.aspx?cid=100074864







ESTABLISHING A SINGLE VIEW OF RISKS

How do you report risk information to your board?

At present, there is no standard way of reporting risk information to the Board, but companies that report information to the

Board have higher „Overall Effectiveness‟ scores than those who do not. In addition, companies with greater information

integration* have higher levels of satisfaction with the quality of information produced by ERM processes.

How often is risk information (outside of Audit Plan presentation and status)

formally reported to the Board?

n= 151

n = 149

45%

23% 23%

7%2%

Quarterly Semi-Annually Annually More than onceper quarter

Less than onceper year


TIAA-CREF - Collaborative Risk Assessment

Assurance partners at TIAA-CREF hold collaborative risk

assessment sessions to share critical risk information and

enhance risk understanding. Risks uncovered become part

of a targeted incremental review by an assurance partner.

13

41%

13% 15%11%

7%

13%

Single report prepared jointly by various

assurance departments

Separate reports fromeach assurance

department based ona common risk language

Separate reports fromeach assurance

department based ondifferent risk languages

Single report prepared byan individual department

In state of development Completely ad-hoc

The line graph below depicts the levels of satisfaction with the quality of information

produced by the current ERM Function. 1=Highly Dissatisfied, 5=Highly Satisfied

* Companies that prepare a report jointly or separately but with a common risk language .

3.8 3.9

3.33.4

2.93.0










BOARD LEVEL SUPPORTBoard level support is instrumental in elevating the importance of risk management in the organization and a significant majority

(88%) of respondents report strong/supportive Board buy-in of their risk management efforts. On the other hand, there is a

disconnect between Board support and budget/FTEs dedicated to the task. Most organizations are still running very lean on

FTEs with a significant portion of the higher staffed companies coming from the Financial Services and Insurance industries.

On the low end, one in five companies are running risk management from the side of their desks. In addition, nearly 60 percentof the respondents do not have a specific line in the organization‟s budget for ERM.

Select the item that best describes Board level support for ERM at your organization.

Approximately how many full-time equivalents (FTEs) are dedicated to

ERM at your organization?

Yes

36%

No

59%

I don't know

5%

n = 151

Is there a specific line item in your organization‟s budget

for ERM?

n = 15114

15%

7%

52%

22%

4%

More than 10 6-10 1-5 0 I don‟t know

37% of this group is Financial

Services/Insurance companies.

n (All Respondents) = 150; n (Mature)= 58; n (Transitional) = 77; n(None) =15

30%

58%

9%3%

49% 48%

3% 0%

21%

71%

8%0%0%

27% 40% 33%

Strong advocate Supportive Indifferent No involvement

All

Mature Implementation

Transitional Implementation

No Implementation



RISK APPETITEProviding consistent guidelines on the company‟s risk appetite can play an instrumental role in managing risks at the ground

level. There is still no common approach to expressing risk appetite, and most companies are struggling to even have a

statement. The companies that express their statements in qualitative as well as quantitative form have the highest average

score for „Overall Effectiveness‟. Creating effective risk appetite statements could be one of the biggest challenges forcompanies in 2011.

How do you express the enterprise-level statement of the firm‟s risk appetite?

Impact of Risk Appetite Statement on Overall Risk EffectivenessAverage Risk Effectiveness Scores [with 1=Extremely Ineffective and 7=Extremely Effective]

n = 149

The degree of specificity in our risk appetite statements

varies considerably by risk. Certain risks are identified with

great detail others are left more general. Much dependson the level of measurability and degree to which the risk

can be defined.

- Vice President and Chief Risk Officer, Utilities

15

4.56

4.57

4.61

4.96

5.15

Do not have a statement of our firm‟s risk appetite

Quantitative form

Informally defined, but not approved

Qualitative form

Quantitative and Qualitative form

51%

10% 10% 5%

24%

Do not have a statement ofour firm‟s risk appetite

Informally defined, but notapproved

Qualitative form Quantitative form Quantitative and Qualitativeform



INTERNAL AUDIT‟S ROLE IN IMPLEMENTING ERM

What role did Internal Audit play in implementing ERM at your organization?

Internal Audit plays a varied role in implementing ERM, but it is often as facilitator or developer.

46%

33% 33%30%

27%

22%

Facilitated the firstenterprise riskassessment

Developed the enterpriserisk assessment

Designed the riskmanagement framework

or process

No involvement Trained senior and/or l inemanagement on the riskmanagement framework

or process

Owned the establishmentof ERM

n = 151

Multiple Responses

Allowed


Implementing a Risk ManagementFramework

Because Internal Audit is continually being

looked upon to provide assurance over risk

management capabilities, this teleconference

addressed the challenge of how to better

manage risk without significant investment in

additional resources.

Internal Audit has been assigned the responsibility to

support the implementation of ERM under the

supervision of my SVP and the CFO, with oversight

from the full Management Committee. Within 24

months, the responsibility for ongoing coordination

and reporting on ERM will pass to another department

other than Internal Audit.

-VP Internal Audit, Fortune 500

Together with the Company Secretary, we

developed an upgraded corporate risk model on

the back of a simplified COSO2ERM framework.

We incorporated a bit of CoBIT4, and ended up

with a corporate risk register (CRR) which

everyone could buy into. All of this was done in

Office Word, very simple, no capital investment .

– VP Internal Audit , Retail

19

https://audit.executiveboard.com/Members/Events/EventReplayAbstract.aspx?cid=100049058






QUALITY OF RISK INFORMATION Although half of the organizations surveyed are at least somewhat satisfied with the quality of information produced from their

ERM processes, there is still a lot of work to do. As companies move along the ERM maturity curve, there is a marked

improvement in the quality of risk information.

Please indicate your level of satisfaction with the quality of information produced

from your organization's existing risk management processes (assessment and

reports)?

Comparison among Companies with Different

Levels of ERM Implementation

% of respondents

5%

11%

24%

45%

15%

Highly dissatisfied

Somewhat dissatisfied

Neutral

Somewhat satisfied

Highly satisfied

n = 150


Enterprise Risk Framework Diagnostic

This diagnostic tool allows you to assess the quality of your risk management

framework. It can be used to measure a framework against 20 critical framework

attributes and prioritize improvements to the most critical framework weaknesses.

22

n (All Respondents) = 150; n (Mature)= 58; n (Transitional) = 77; n (None) =15

37%

46%

12%

5%

0%

3%

48%

30%

13%

6%

0%

20%

40%

27%

13%

Highly satisfied

Somewhat satisfied

Neutral

Somewhat dissatisfied

Highly dissatisfied

Mature Implementation

TransitionalImplementation

No Implementation

https://audit.executiveboard.com/Members/DecisionSupportCenters/Abstract.aspx?cid=77331542

https://audit.executiveboard.com/Members/DecisionSupportCenters/Abstract.aspx?cid=77331542



Executive


Management

Role of

Internal Audit


Risk

Management


23



OVERALL ERM EFFECTIVENESSThe Roundtable has identified five risk characteristics which define overall risk effectiveness of an organization. Companies are

currently doing a fair job of building awareness of the Board, but are struggling to anticipate and prevent risks. Mature

companies are significantly more effective in all areas of ERM effectiveness.

Please rate the current effectiveness of each of the following risk

management characteristics in your organization.

[with 1=Extremely Ineffective and 7=Extremely Effective]

Average Effectiveness

24


2011 Overall Top 10 Audit Plan Hot Spots

The Audit Plan Hot Spots research presents trends in emerging risk

areas that Internal Audit departments will focus on across the next 6

to 12 months.n (All Respondents) = 150; n (Mature)= 58; n (Transitional) = 77; n (None) =15

4.25

4.53

4.76

5.04

5.28

Risk Anticipation

Risk Prevention

Risk Awareness of the Business

Risk Response

Risk Awareness of the Boardand Senior Management

5.54

5.39

5.07

4.71

4.75

5.10

4.78

4.45

4.42

3.88

4.41

4.25

4.44

3.75

3.56

Risk Awareness of the Boardand Senior Management

Risk Response

Risk Awareness of the Business

Risk Prevention

Risk Anticipation

Mature Implementation Transitional Implementation

No Implementation

https://arc.executiveboard.com/Members/DecisionSupportCenters/Abstract.aspx?cid=100234272

https://arc.executiveboard.com/Members/DecisionSupportCenters/Abstract.aspx?cid=100234272



FACTORS IMPACTING ERM EFFECTIVENESS

25

Please rate the extent to which you agree that each of the following risk management attributes has been clearly articulated, communicated andimplemented in your organization? [1= Strongly Disagree and 7= Strongly Agree]


In the following two pages, the Roundtable has analyzed 15 factors that have a significant impact on overall risk effectiveness.

Once again, maturity of the ERM organization has a marked effect on the clarity and implementation of risk management

factors.

Continued to Next Page

5.81

5.90

5.90

5.71

5.76

5.26

5.29

5.08

5.14

4.81

5.00

4.12

3.88

3.94

3.88

5.53

5.48

5.34

5.31

5.15

Audit Plan Integration

Risk Assessment

Senior Management Support

Risk Identification

Risk Prioritization


No Implementation All

5.93

5.76

5.54

5.59

5.59

4.92

4.79

4.58

4.65

4.32

2.53

3.35

3.47

2.53

3.53

5.13

5.09

4.90

4.85

4.79

Risk Framework

Risk Reporting

Policies & Procedures

Risk Management Objectives

Roles & Responsibilities





FACTORS IMPACTING ERM EFFECTIVENESS

Respondents indicate that risk management has gained greater importance and recognition in organizations leading to greater

senior management support, better risk management assurance, and more robust audit plan integration.

26


Emerging Risk Update

Leverage the risk knowledge of our extensive network of

Finance executives to stay updated on emerging risks

that they should monitor and rapidly respond to.

Enterprise Risk Audit Planning

This webinar discussed how Internal Audit can effectively

broaden risk coverage and provide greater assurance by

using a holistic approach to audit planning.

Please rate the extent to which you agree that each of the following risk management attributes has been clearly articulated, communicated andimplemented in your organization? [1= Strongly Disagree and 7= Strongly Agree]


5.31

5.22

4.98

4.71

4.46

4.40

4.38

3.87

3.83

3.90

3.00

2.59

3.18

3.06

2.24

4.66

4.58

4.28

4.15

3.99

Risk Management Assurance

Risk Language

Risk Integration

Risk Appetite

Risk Management Training



Our ERM process is now in its sixth year and has

achieved a fairly high level of maturity. Our riskidentification & assessment processes have a balance

of bottom up & top down approach.

-- Anonymous Peer

https://audit.executiveboard.com/Members/Benchmarking/Abstract.aspx?cid=100136748




https://audit.executiveboard.com/Members/Benchmarking/Abstract.aspx?cid=100136748



28

Appendix A: Risk Management Effectiveness Characteristic Definitions

Risk Anticipation – The company routinely identifies emerging risks and proactively puts plans in place to address them.

Risk Prevention – The company has the proper levels of controls in place, routinely evaluates the effectiveness of those controls, and reports ontheir status.

Risk Response – The company has appropriate response plans in place, plans are routinely evaluated and updated, and they are effectively

deployed when a risk event occurs.

Risk Awareness of the Board and Senior Management – The Board and senior management are fully aware of the top risks facing the

organization at any given time.

Risk Awareness in the Business – Employees at all levels in the business understand how risks (enterprise, strategic, financial, operational,

regulatory, etc) manifest in their part of the business

Appendix B: Risk Management Factor Definitions

Risk Framework – Structure or frame for defining how risk management principles and concepts are used in the normal conduct of business.

Risk Management Objectives – Clearly defined risk management philosophy and vision as well as goals and measurable objectives.

Policies and Procedures –

Board-approved risk management policies and procedures to ensure everyone follows the same risk managementprocess.

Senior Management Support – Strong executive backing and sponsorship for the risk management program.

Roles and Responsibilities – Documented roles and responsibilities for managing risk from the Board down to employee level with clear division

of responsibilities between the role of the corporate center and the business units.



29

Risk Appetite – Guidelines for defining risk appetite and establishing tolerance levels appropriate for accepted risk exposure to achieve

organizational goals. Risk tolerance levels are evaluated on an ongoing basis and tested against different scenarios.

Risk Language – Common risk language including a universal definition of risk and other risk terminology that does not vary by business unit orfunction.

Risk Integration – Risk management is considered in existing company processes including strategic planning, project management, external

communications, and other key management activities.

Risk Management Training – Risk management strategy and structure is widely communicated, all employees and stakeholders understand the

company‟s vision and objectives, and formal training is provided to ensure relevant skills to execute on risk management strategy.

Risk Identification – Comprehensive approach to identifying top risks facing the organization, including both executive level top-down and

business or function led bottom-up approach.

Risk Assessment – Uniform quantitative and qualitative methods to assess the likelihood and potential impact of risk events, and aggregation and

comparison of risk assessments across business units.

Risk Prioritization – Methodology in place to aggregate residual risks by business unit or type of risk, calculate the contribution of each and

aggregate to total entity risk, and prioritize the largest group-level risks.

Risk Reporting – Risk communication is integrated into existing reporting mechanisms and its risk disclosures are tailored to the needs of key

constituencies, including the Board, management, and investors. A process exists for escalating risk issues to appropriate stakeholders on a timely

basis.

Audit Plan Integration – Internal Audit coordinates with existing risk management activities to assess company risk and build the audit plan,

ensuring the audit plan is a clear reflection of management‟s articulation of risks.

Risk Management Assurance – Internal Audit audits risk management activities and has defined and regularly tracks quantitative performance

measures for validating that the risk management program is operating effectively.



32

Appendix C: Data Analysis

Slide 17: Test of Overall Effectiveness by Maturity Levels

ANOVA

Sum of Squares df Mean Square F Sig.

RAWAREBORD Between Groups 3.103 5 .621 .520 .761

Within Groups 165.862 139 1.193

Total 168.966 144

RPREVENT Between Groups 5.194 5 1.039 .839 .524

Within Groups 170.778 138 1.238

Total 175.972 143

RRESPONSE Between Groups 4.581 5 .916 .814 .542

Within Groups 155.391 138 1.126

Total 159.972 143

RANTIC Between Groups 4.796 5 .959 .658 .656

Within Groups 201.176 138 1.458

Total 205.972 143

RAWAREBUS Between Groups 8.442 5 1.688 1.250 .289

Within Groups 186.447 138 1.351

Total 194.889 143

OVERALL Between Groups 2.804 5 .561 .705 .621

EFFECTIVE- Within Groups 110.615 139 .796

NESS Total 113.420 144



CORPORATE EXECUTIVE BOARD

WWW.EXECUTIVEBOARD.COM

Audit Director Roundtable

Corporate Executive Board1919 North Lynn Street

Arlington, VA 22209

Telephone: +1-571-303-3000

Fax: +1-202-303-3100

The Corporate Executive Board Company (UK) Ltd.

Victoria House

Fourth Floor

37 –

63 Southampton RowBloomsbury Square

London WC1B 4DR

United Kingdom

Telephone: +44-(0)20-7632-6000

Fax: +44-(0)20-7632-6001

Contact Information:

Sonia Nordberg

[email protected]

Brandon Stoker

[email protected]

Anubhav [email protected]

mailto:[email protected]






survey adr risk management effectiveness

Documents