enterprise risk management (erm) discussion · 2016-07-29 · enterprise risk management (erm)...
TRANSCRIPT
Enterprise Risk Management (ERM) Discussion
American Gas AssociationRisk Management Committee Meeting
July 25, 2016
2 Copyright © 2016 Deloitte Development LLC. All rights reserved.
Objectives
• Discuss the value of ERM and board’s role in risk
oversight
• Highlight leading practices in board reporting
• Review hot topics for boards today
4 Copyright © 2016 Deloitte Development LLC. All rights reserved.
“The potential for loss – or the diminished opportunity for gain –
caused by factors that can adversely affect the achievement of
a company’s objectives”
What is risk?
5 Copyright © 2016 Deloitte Development LLC. All rights reserved.
Risk types
Expected reward for risk(value to an organization for taking on risks)
Controllability(ability of organization to
minimize the risks)Less More
Opportunities
Threats
Imposed risks
Self-inflicted risks
Calculated risks
7 Copyright © 2016 Deloitte Development LLC. All rights reserved.
Key components of board’s risk oversight
What oversight ensures the strategy is executed? What shared values guide the organization?
How is risk measured and monitored? What infrastructure enables execution?
What vision drives the organization? What are the risks to the strategy and risks of the strategy?
How is risk managed? What are the principles that enable the organization to create, deliver and capture value?
RiskOversight
8 Copyright © 2016 Deloitte Development LLC. All rights reserved.
Examples of risk oversight success factors
• Encompass the entire business
• Address the full spectrum of risks
• Understanding of company’s major risks
• Consider not just single events, but the interaction of multiple risks
• Clear direction on corporate risk appetite and how it applies to specific functional areas
• Consistent application of risk processes across functional areas
• Clear and transparent communication related to company enterprise risks
• Broad risk experience, with sufficient focus on appropriate data and reporting techniques to facilitate productive discussion
• Balance risk probability, vulnerability, and consequences
• Make strategic decisions that arise from risk-informed processes
10 Copyright © 2016 Deloitte Development LLC. All rights reserved.
Board committee reporting
17%
43%
30%
11%
A dedicated risk committee The Audit and Finance Committee
Report directly to the full Board Other
Source: Results from the roundtable poll conducted in preparation for the October 2015 P&U ERM Roundtable hosted by Deloitte- Total 40 respondents
11 Copyright © 2016 Deloitte Development LLC. All rights reserved.
Reporting frequency
34%
24%
20%
22%
Quarterly Semi-Annually Annually Other
Source: Results from the roundtable poll conducted in preparation for the October 2015 P&U ERM Roundtable hosted by Deloitte- Total 40 respondents
12 Copyright © 2016 Deloitte Development LLC. All rights reserved.
Report content
36%32%
19%
38%
10%
Risk Trends External orIndustryEvents
Risk Concepts EmergingRisks
Other
Source: Results from the roundtable poll conducted in preparation for the October 2015 P&U ERM Roundtable hosted by Deloitte- Total 40 respondents
14 Copyright © 2016 Deloitte Development LLC. All rights reserved.
• Focus on strategic risk
• Quantification of operational risk reduction efforts
• Understanding of risk culture
• Framing brand/reputation risk
• Clarity on cybersecurity risk
Board hot topics
Copyright © 2015 Deloitte Development LLC. All rights reserved.Strategic Risk Solutions 15 Copyright © 2016 Deloitte Development LLC. All rights reserved.
Strategic risk
Unclear what to look for
Signals often weak
Sources may be in other industries or geographies
Traditional tools and methods don’t reliably detect what’s “over the horizon”
No historical precedent
Strategic risks threaten to disrupt the assumptions at
the core of a company’s strategy (and strategic
objectives), and undermine a company's ability to achieve or maintain
exceptional performance
Copyright © 2015 Deloitte Development LLC. All rights reserved.Strategic Risk Solutions 16 Copyright © 2016 Deloitte Development LLC. All rights reserved.
Operational risk
Assuring that O&M and Capital asset investment decisions are optimal and defensible - to the company’s stakeholders (customers, employees, investors and regulators)
Showing that investments reduce risk(s)
Confirming that O&M and Capital investment decision-making process will achieve consistent outcomes
17 Copyright © 2016 Deloitte Development LLC. All rights reserved.
Risk culture
• Increased rate of employee turnover for Millennial generation is changing concept of employee “loyalty”
• Increased competition and cost constraints are exposing organizations to risk
• Unreasonable expectations (e.g., leadership, stakeholders, regulators, customers)
• Evolution of required competencies
As a result of changes in the marketplace and workforce, strong risk culture is increasingly more critical for success.
Drivers
• Significant change to business model
• Reorganization/Right sizing
• Frequency of negative incidents and/or close calls
• Increased competition and cost constraints are exposing organizations to risk
• Frequency of regulatory violations
Indicators
18 Copyright © 2016 Deloitte Development LLC. All rights reserved.
• 88% of companies rate reputation risk a critical or the most critical risk
• How companies rate themselves in managing reputation risk
• Most critical reputation risk elements are:
20% | Security 19% | Ethics/Integrity 16% | Product/Services
45% | Security 55% | Ethics/Integrity 43% | Product/Services
43% | Security 50% | Ethics/Integrity 40% | Product/Services
Yesterday Today Tomorrow
Brand/reputation risk
Source: Deloitte’s 2014 Global Survey on reputation risk
19 Copyright © 2016 Deloitte Development LLC. All rights reserved.
Brand/reputation risk (cont.)
†Respondents could choose more than one answer; the top three are shown above.
Companies feel most prepared to manage risks within their direct control…
… and least prepared for risks beyond their direct control †
69%Regulatory compliance
47%Third party/extended enterprise issue
68%Employee misconduct
44%Competitive tasks
66%Executive misconduct
44%Hazard or other catastrophe
Preparedness for risks that drive reputation†
20 Copyright © 2016 Deloitte Development LLC. All rights reserved.
• What is your cybersecurity risk profile?
• How do you define cybersecurity risk?
• Who owns the risk?
• What is ERM’s role in cybersecurity risk?
• Who and how frequently reports on the cybersecurity risk(s)?
• How do you assess that investments in your cybersecurity program reduce the risk?
• For what and how much of cybersecurity insurance do you need?
Common questions on cybersecurity risk
Copyright © 2016 Deloitte Development LLC. All rights reserved.21
Contact information
Asma QureshiSenior ManagerDeloitte Advisory, Strategic Risk
Deloitte & Touche LLP30 Rockefeller PlazaNew York, NY 10112-0015
Tel: +1 212 436 7659Mobile: +1 347 255 [email protected]
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.
Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.
About DeloitteDeloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a detailed description of DTTL and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
Copyright © 2016 Deloitte Development LLC. All rights reserved.36 USC 220506Member of Deloitte Touche Tohmatsu Limited