top 10 key attributes of an enterprise risk management program handouts/rims 16/erm003... ·...
TRANSCRIPT
Top 10 Key Attributes of an Enterprise Risk Management Program
ERM003
Speakers:
• Cindy Roelke, Director, Risk and Insurance, The Western Union Company
• David Young, Lecturer, University of Colorado, Denver
Learning Objectives
At the end of this session, you will:
• Describe the essential qualities of a successful ERM program
• Employ mechanisms that maintain key risk focus across all categories of risk
• Assemble arguments to convince your organization’s primary stakeholders of the benefits of ERM
Source Material
• FNCE 4129/6129 – Practical Enterprise Risk Management• Risk Management & Insurance Program, Business School, University of
Colorado Denver
• Currently seeking Mentors for Summer 2016 / Spring 2017 semesters
• Western Union Student ERM Project – Spring 2015• Graduate Student Project on a publically traded company
ERM 10 Key Criteria1) Enterprise-wide scope – all areas in scope
2) All risk categories – financial, operational, strategic & hazard
3) Key risk focus – not hundreds of risks
4) Integrated Risks – captures interactivity of 2+ risks
5) Aggregated Risk – enterprise-level risk exposure/appetite
6) Includes decision-making – not just risk reporting
7) Risk-return Mgmt. – mitigation plus risk exploitation
8) Risk disclosures – integrates ERM information
9) Value impacts – includes company value metrics
10) Primary stakeholder – not rating agency-driven
4
Enterprise-wide Scope
• “Enterprise” is the first word in ERM, yet in traditional ERM, this usually does not occur
1) Insufficient C-Suite and Board of Director oversight
2) Deemed insignificant
3) Limiting approaches to ERM
4) Differing cultures
5) Incomplete implementation
• It’s not true ERM until all areas are in scope
5
Sample ERM Engagement Model
All Risk Categories
• The word “all”
• A significant step forward in the risk management field
• Must include all risk categories
• Financial (market, credit, liquidity, etc.)
• Strategic (strategy execution, competitor risk, emerging, etc.)
• Operational (human resources, technology, etc.)
• Hazard (mostly insurance related risk)
7
All Risk Categories (continued)
• Traditional ERM focuses mostly on financial risks
• Inability to quantify strategic and operational risks
• Myth regarding importance of financial risks• Studies debunk this• Even true for financial services companies • Partly due to poor risk categorization and definition
• Modeler bias• Education, training and experience all in financial• Methods work best for financial risk• Risk of staying within comfort zone: “Searching under streetlamp”• Dangerous significant digits violation / impression of completeness
8
New Category: Emerging Risk
Communicating Emerging RiskDigitalattackmap.com
Informationisbeautiful.net
Key Risk Focus
• Focus on the organization’s key risks
• An Excel Spreadsheet with 100’s of risks is unmanageable
• Utilize Risk Tolerance calculation to determine key risks
• Most likely these risks will be Strategic and Operational Risks
• Key Risk Focus allows for greater accountability
• Transparency and accountability are critical to ensure risk oversight
Sample Accountability Model
Integrated Risks
• Traditional risk management, and even most traditional ERM programs, have “silo” risk measurement, which is suboptimal
a) Incomplete
b) Inefficient
c) Internally inconsistent
13
Integrated Risks (continued)a) Incomplete
• Ignores real-world complexity
• Having only one risk scenario happen at a given time is like every aspect of your business going perfectly, except one
• Ignores biggest threats
• Ignores offsetting risks
• Two risk events occurring “simultaneously” (during same time period, e.g., one year), one downside and one upside
• Other possibilities?
14
Integrated Risks (continued)
• One example of two downside risk events occurring within the same calendar year that involve offsetting:
• First event: Competitor steals away half of company’s business in Russia
• Second event: Russia passes regulations that increase variable costs (costs as percentage of revenues) on U.S. businesses operating in Russia
15
Integrated Risk (continued)
b) Inefficient
• Over-paying
• Not buying (e.g., hedges) in bulk
• Under-communicating
• Not sharing best practices
c) Internally inconsistent
• Different projections of environment, market
• Different bets
16
Aggregated Risk
• Two Metrics
• Enterprise risk exposure (calculated)• Risk appetite (defined by management) (also called risk tolerance, by S&P)
• Traditional ERM programs have neither, resulting in:
• Inability to do primary job of ERM – managing enterprise risk exposure to within risk appetite
• Inability to have correct chronology:1) Calculate enterprise risk exposure2) Define risk appetite3) Cascade down to risk limits4) Instead, uses local management judgment, instinct or old rules-of-
thumb, causing two errors:• Under-mitigating (potentially dangerous, if risk event occurs)• Over-mitigating (waste of resources, e.g., many insurable risks)
17
Risk Appetite / Risk Tolerance
Risk Decision-Making
• Many ERM programs in their infancy merely identify and then report key risks to the Board
• Misses the primary function: risk decision-making
• “Risk Map” is a popular report
• Focus on key risks with materiality
19
WU Student Project Risk Map
Risk-Return Management
• Traditional risk management created perception of risk leaders as obstacles by business segments
• New ventures thwarted by emphasis of risk exposure
• Upside not fairly considered along with increased risk
• ERM is a significant step forward
• Both downside and upside volatility - risk mitigation and risk exploitation - are in scope
• Risk practitioners are now welcome in strategic discussions, perceived as business partners
21
Risk Disclosures
• Improper risk disclosures: most overlooked risks
• Most are boilerplate with significant auditor input
• Yet ERM sophistication varies widely
• Best, safest practice (and likely soon to be a regulatory requirement) is to inform disclosures with ERM information
http://www.sec.gov/news/press/2009/2009-268.htm
22
Value Impacts
• Virtually all talk about “value-added” activities, yet very few measure value
• Most ERM programs use short-term metrics
• Balance sheet impact
• Next quarter’s earnings impact
Inadequate for quantifying the full impacts of risks
Inadequate for informing risk decision-making
23
Primary Stakeholder
• Traditional risk management programs often focus on ratings / rating agencies
• Maximally satisfying rating agencies does not usually lead to maximizing shareholder value
• ERM must focus on primary stakeholder: the shareholder
• All decisions – even risk-priority – must increase company value
24
Next ERM Regulatory Hurdle?
Thanks for attending!
Enjoy the rest of RIMS 2016!
Questions / Discussion