c3 enterprise risk management and bcm · the intersection of enterprise-wide risk management ......
TRANSCRIPT
1
The Intersection of Enterprise-wide Risk Management (ERM) and Business Continuity Management (BCM)
Marc Dominus
© 2005 Protiviti Inc. EOE
Agenda
• Terminology and Process Introductions
• ERM Process Overview
• BCM Process Overview
• The Intersection
• A Path Toward Maturity
• COSO’s ERM Framework
• A Case Study in Risk Management
• Questions and Discussion
A process, effected by an entity’s board of directors, management and other personnel, applied in
strategy-setting and across the enterprise, designed to identify potential events that may affect the entity,
and manage risk to be within its risk appetite, to provide reasonable assurance regarding the
achievement of entity objectives.
Enterprise Risk Management Defined
2
Successfully respond to
changing business
environment
• Become more forward looking
• Build management confidence
• Adopt to new business models
• Manage business alliances
• Adjust to competitor moves
• Exploit risk management strengths
through product enhancements
• Improve resource allocation
Reduce unacceptable
performance variability
• Improve ability to anticipate and
respond to impact of major events
• Reduce earnings volatility
• Improve consistency of operations.
• Avoid erosion of sources of value
• Manage increasing costs of
mitigation
• Improve success rate at
accomplishing strategic initiatives
Build confidence of
investment community
• Demonstrate management’s ability
to take on and manage risk and
provide an adequate return
• Display ability to handle industry
issues and peer companions
• Increase transparency into risk
management capabilities
Align and integrate risk
management practices
• Align multiple risk management
functions
• Assess need for and role/authority of
Chief Risk Officer (CRO)
• Integrate into critical management
activities
• Link to shareholder value initiatives
• Increase ability to understand and
aggregate risk exposure
Enhance corporate
governance
• Strengthen Board governance
• Meet regulator expectations
• Effectively communicate business
and risk strategies
• Align throughout organization
• Clarify vertical and horizontal roles
and authority levels
• Assess need for senior-level
oversight structures
Align risk taking strategy with
corporate culture
• Increase risk awareness
• Improve balance between risk taking
vs. risk averse culture
• Improve tools to better understand
risk exposures
• Increased accountability for
managing risks
• Increase timely awareness of
changes in risk profile and related
controls
The Business Motivation for ERM
• If you don’t know what your priority risks are, ERM will never begin
• If you don’t have a view around the gaps existing with respect to your priority risks you will never be able to articulate a value proposition
• ERM is not something to build in a day…start somewhere and build incrementally
• The purpose of ERM infrastructure is to drive continuous improvement of ERM capabilities
– Objective is to continuously improve capabilities around managing priority risks as circumstances change
• The tenets of effective ERM implementation:
– Leverage what you have
– Integrate with what you do
– Keep it simple!!!
Protiviti’s Point of View on ERM
In October 2005, The Forrester Wave™: Enterprise Risk Management
Consultants, 4th quarter, 2005, was released. The research identified Protiviti as a “Leader” in the field, along with Deloitte, PricewaterhouseCoopers and IBM
Consulting.
According to the study:
– “Protiviti has strong methodologies and was rated well by clients.” In the “client
reference” category, Protiviti received a perfect score of 5 out of 5.
– “Protiviti’s service is an especially good fit for buyers that:
• Are looking for a strong source of ERM thought leadership and shared knowledge.
• Are looking for operational implementation of an ERM program.”
– Protiviti’s “well-developed risk taxonomy” is a key differentiator from the other
leading firms.
Forrester Independent Research Results
3
Protiviti US Risk Barometer Survey Findings: Changing Risk Profile
Corporate America’s largest companies are taking more risks:
• They are vulnerable to these business risks and need to step up their risk
management efforts to ensure their capabilities are keeping pace with changing risk profiles
• Risk levels as well as appetite for risk have changed significantly over the past two years
• Primary catalysts for change include the regulatory environment, strategic
decisions, and current and potential litigation
• Most senior executives lack a high degree of confidence that their organization’s risk management capabilities identify and manage all potentially significant business risks
– Only 38 percent of business leaders believe their organizations are very effective at managing significant risks
– More than half – 54 percent – acknowledge there is more they can do to identify, quantify and manage the risks they face
• Most companies are taking steps to improve their risk management capabilities
• Few companies are effective at balancing growth and control
• Not enough companies are employing best risk management practices
• CFOs “own” risk management in most organizations
• The most significant benefits of risk management are viewed to be lower costs of insuring risk and more timely identification of critical risks
Risk Barometer Survey Findings: Risk Management Capabilities
• Companies do not have just one predominant risk today – rather, they face a range of risks
• The most significant risks cited were:
– Customer satisfaction (Internal)
– IT security (Internal)
– Competition (External)
– Current regulatory environment (External)
Risk Barometer Survey Findings: Current State of Risk
4
Enterprise risk management requires an entity to take a portfolio view of risk.
Corporate
Marketing R&D Legal Sales
The effects on the organization of:� 20% decrease in marketing budget affect sales?
� 15% increase in R&D output affect demands to market new products.
� Shift to greater use of outside counsel affect communications with
sales staff and R&D/patent process.
ERM: A Portfolio View
COSO Internal Control Framework
COSO ERM Integrated
Framework
Evolution of the COSO ERM Framework
= New or Enhanced COSO Component
PhysicalAssets
Financial
Assets
CustomerAssets
Employer/Supplier
Assets
Organizational
Assets
Risk management should address exposures to ALL
sources of value
• Significant losses of customers or channels
• Ineffective channels
• Loss of markets or market opportunities
• Lack of needed experience and skills
• Erosion of “intellectual capital”
• Loss of morale
• Poor relationships
• Inability to create effective partnerships
• Poor economic performance
• Insufficient sources of debt or equity
• Unacceptable losses
• Inadequate liquidity
• Unauthorized use
• Catastrophic loss
• Unacceptable costs
• Unclear or obsolete strategies
• Lack of institutional learning
• Ineffective/Inefficient
processes
• Integrity breakdowns
• Inadequate information for internal decision making
• Incorrect executive certifications
• Reputation loss
Uncertainties Affect EACH Source of Value
5
Focus
Objective
Scope
Emphasis
Business Risk Management
Risk Management
Financial and hazard risks and internal controls
Protect enterprise value
Treasury, insurance and operations involved
Financial and operations
Selected risk areas, units and processes
Business risk and internal controls, taking a risk-by-risk approach
Protect enterprise value
Business managers accountable
Management
Selected risk areas, units and processes
Business risk and internal controls, taking an entity-level portfolio view of risk
Protect and enhanceenterprise value
Applied across the enterprise, at every level and unit
Strategy-setting
Enterprise-wide to all sources of value
Enterprise Risk
Management
“CURRENT STATE” CAPABILITIES “FUTURE STATE” VISION
Application
ERM Builds upon Existing Risk Management Capabilities…
Five Practical Steps to ERM Implementation
3
Integrating ERA with Strategy
Strategic Risk Assessment
Strategic Planning
(Value Creation
and Protection)
IA Planning
Resource Allocation
Budget and Planning
Business Unit
Objective Setting
CorporateObjectiveSetting
Performance Management Dashboard
Reporting(including risk
metrics)
Potential to Embed Risk Assessment Results into Strategic Processes
6
Designing an ERM infrastructure
ERM infrastructure may include:
FOUNDATION
• Common risk language
• Enterprise risk management policy
• Risk committee charter
• Chief Risk Officer job description
• Clarification of roles and responsibilities
CAPABILITIES
• Enterprise-wide risk assessment process
• Integration of risk responses with operating plans
• Supporting technology to collect and aggregate risk management data
• Common training on and knowledge sharing of best practices
• Dashboard and other risk reporting
ELEMENTS FOR ENHANCING CAPABILITIES
• Tools to portray a portfolio view of risk
• Alignment of organizational behavior with risk appetite
BCM Terminology and
Process Introduction
…the development of strategies, plans and actions
which provide protection or alternative modes of operation for those activities or business
processes which, if they were to be interrupted, might
otherwise bring about a seriously damaging or
potentially fatal loss to the enterprise.
BCM = Crisis Management + Business Resumption Planning + IT Disaster Recovery Planning
7
Terminology Confusion
• Confusion Around Terminology?
• Let’s Discuss Some Similar Terms
• Business Continuity Planning (BCP)
• Business Recovery Planning (BRP)
• Business Resumption Planning (BRP)
• Business Resiliency Planning (BRP)
• Disaster Recovery Planning (DRP)
• Contingency Planning
Vulnerability & Risk Assessments
Business Impact
Analysis
Business Continuity
Strategy Design
Business ContinuityPlan Benchmarking
Solutions Deployment
Compliance
Monitoring& Auditing
Training & AwarenessPrograms
Continuity Life Cycle
Solutions Deployment
Life Cycle
Business ContinuityPlan Testing
Why Protiviti?
The Business Continuity Management Lifecycle
Components of a BCM Program
• Executive Management Support
• Steering Committee
• Process Owner
• BCM Policy
• Training and Awareness Program
• Plan Testing & Exercise Program
• Plan Maintenance Process
• Tested, Documented Procedures
• Crisis Organizational Structure
• Emergency Operations Center
• Alternate Processing Facility
• Crisis Communications Processes
• Trained Response and Recovery Personnel
• Pre-positioned Resources
• Identified Vital Records, Information & Data
8
• Regulatory Requirements
• Current Events and the Perceived Threat
• Single Points of Failure / Critical External Dependencies
• Customer Demands
• Director and Officer Liability
• Risk Transfer Costs
• Cannot Afford Downtime
“Corporate leaders have an obligation to the stakeholders of their organizations to ensure that everything that can reasonably be done to protect the business is done.”
Gartner Group - Real-Time Enterprise: Business Continuity and AvailabilityOctober 22, 2002
Business Continuity Management Drivers
The Intersection
Developing a Common Language
The model provides a language to start with in narrowing down the risks to the vital few requiring specific attention. This helps build the confidence of executives and directors in the comprehensiveness of the process. Definitions are created to clarify the risk specificity in order to provide a substantive language for use across the enterprise.
The Protiviti Risk Model provides a framework for identifying and defining key risks. It is a flexible tool that can be adapted to meet a client’s specific facts and circumstances.
9
A Path Toward Maturity
Capability Maturity –A Model for Describing Process Improvement
Derived from Carnegie Mellon capability maturity model
Six Elements of Infrastructure
MethodologiesManagement
ReportsPeople and
OrganizationBusiness
Processes
BusinessPolicies
Systemsand Data
Corporate, business
unit, location level policies
Integration into business processes
and control environment
Risk response ownership and accountability
Ability to manage risk
response based on technology
capabilities
Alignment to corporate and business unit
methodologies (e.g., Six Sigma)
Key performance indicators and management
reports
10
Improved Maturity - Capability
• Risk Identification
• Defined process
• Initial quantification
• ERM responsibilities
• Policy and process guidelines followed across the organization
• Consistent risk reporting
• Robust risk measurement
• Enterprise-wide limits
• Enterprise-wide risk strategies
• Risk diversification exploited competitively
• Quantification of risk versus tolerances
• Integrated risk measurement systems
• Risk measures applied to performance goals
• Integration with strategy and planning
Initial Repeatable Defined Managed/Optimizing
• Common language
• Dedicated resources
• Risk management policy
• Executive management oversight
• Risk sourcing
Improved risk management capabilities:
Improved Maturity - Benefits
Accumulation of business performance benefits:
• Risk awareness
• Risk anticipated better than competitors
• Linkage between risk management and line operations management
• Improved capital and resource allocation
• Risk transparency with stakeholders
• Capitalize on market opportunities
• Risk managed as integral part of managing the business
• Diversification effects understood and exploited
• Risks aggregated to reduce risk transfer costs
• Risk management integrated with business planning and strategy
Initial Repeatable Defined Managed/Optimizing
• Improved business knowledge
• Uncertainties evaluated and understood
• Risk-reward decisions receive more attention
• More effective risk-based decision making
Understand the business and its
objectivesIdentify events that
negatively impact one or more
business objectives
Understand, evaluate, and prioritize business risks by evaluating the impact and likelihood
of potential events and existing activities
Develop a plan to
respond to high priority risks
Protiviti’s Enterprise Risk Assessment (ERA) Methodology
11
Protiviti’s Enterprise Risk Assessment (ERA) Methodology
Finalize ProjectScope and Approach
Develop Project
Plan for Each Phase
Establish Project Sponsor and
Steering
Committee
Finalize Project
Team Resources
Define Project
Roles and
Responsibilities
Determine Approach to
Communications
Outputs
Event Identification
Risk Assessment Risk Reporting
Internal Environment and
Objectives
ProjectPlanning
Inventory of Risks Identified
Initial Top Risks Identified
ProjectCommunication
Roles &Responsibilities
Finalized Project Scope &
Approach
Custom Risk Model
Risk Profile
Impact & Likelihood Results
for Top Risks
ExecutiveManagement
Report
Risk Profileand Prioritized
Risks
Plan and Design
ERA Workshop
Inputs
Understanding of
BusinessEnvironment
Identify Potential
High Risk Areas
Develop
Workshop
Materials
Conduct
Risk IdentificationInterviews
Document Resultsof Interviews in
Risk Model
Determine
Interview Questionsand Participants
ConductFacilitated
Enterprise Risk
Assessment Workshop
ERA
Methodology
DetermineProject Team
Requirements
Meet With
Steering
Committee
Develop Executive
Management
Report
Compile Results of
Risk Assessment
Activities
Risk
Profile
Review Results
with Executive
Management
Initial Identification
of Key Controls
1 2 3 4 5
Final Project Documentation
Request List
Develop Custom
Risk Model
Review Documentation
RequestList
Deploy On-Line
Survey asNecessary
Survey and Interview
Results
DocumentedERM Next
Steps
Sample Risk Map
Risk - Moderate to High
Risk - HighRisk – Moderate to High
Risk – Moderate
Risk – Very HighRisk - High
Risk – Low to Moderate
Risk – ModerateRisk – Low
Insignificant
Minor
Moderate
Major
Catastrophic
Remote10%
Unlikely25%
Reasonably Possible
50%
Probable75%
Almost Certain90%
C
V
LN
M
K
O
P
R
T
X
A
G
IMPACT
LIKELIHOOD
Disaster recoveryD
Security/VulnerabilityV
ReputationU
Change ManagementG
Client RetentionN
Business InterruptionM
Resources AllocationR
Disaster RecoeryC
CommunicationO
Technology SupportT
Performance MonitoringA
Product DevelopmentPRegulatory ComplianceL
HR Knowledge capitalK
Performance ExecutionX
9876432 51
9
8
7
6
4
3
2
5
1
D
U
Questions and Discussion