implimenting enterprise risk management(erm); a process overview

BYHUSSE IN K . I S INGOMA

C I SA , C I SM , C R I S C , F C C A , C I A , C PA

ISACA- KAMPALA 24th April 2013

1

IMPLIMENTING ENTERPRISE RISK MANAGEMENT(ERM); A PROCESS OVERVIEW

Introduction

All organizations exist to provide value to shareholders and

stakeholders

Every organisation needs to determine how much uncertainty it should

accept in seeking to create value or deliver service

Uncertainty has the potential to enhance or erode value

Organisations have growing concerns about a broader spectrum of

risks

For many organizations, risk management is rapidly developing into a

more forward looking, enterprise-wide approachISACA- KAMPALA 24th April 2013

2

Contd…..

Risk Management(RM) is about systematically identifying and actively managing risks

to the business

Its about increasing the likelihood of success by minimising threats and maximising

opportunities

Its being in control and being seen to be !

Recent World Disasters and Scandals bear the hallmarks of failure in Risk Management

Process; identification, assessment of risks etc

The downturn in the global economy raises important questions about how

organisations conduct their business – and particularly about how they assess and

manage risk


3

Fukushima Nuclear Disaster Financial/Sovereign Debt Crisis

Tokyo Electric Power Company(TEPCO) failed to prevent the disaster not because a large tsunami was unanticipated, but because they were reluctant to invest time, effort and money in protecting against a natural disaster considered unlikely.

The utility and regulatory bodies were overly confident that events beyond the scope of their assumptions would not occur and were not aware that measures to avoid the worst situation were actually full of holes

The U.S. Financial Crisis Inquiry Commission concluded in January 2011 that the crisis was avoidable and was caused by: Widespread failures in financial

regulation, including the Federal Reserve’s failure to stem the tide of toxic mortgages;

Dramatic breakdowns in corporate governance including too many financial firms acting recklessly and taking on too much risk

Characterized by high-risk lending and borrowing practices

World Disasters and Scandals. What Happened ??

ISACA- KAMPALA

4

24th April 2013

http://en.wikipedia.org/wiki/Financial_Crisis_Inquiry_Commission

ERM-Definition Core Elements of Risk Management Framework

A structured, consistent and continuous process across the whole organization for: Identifying Assessing Deciding on responses And reporting on opportunities and

threats that affect the achievement of its objectives

(IIA-Definition)

Board/Executive Commitment&

context setting

Risk Identification

Risk Assessment

Risk Response

Monitoring & Reporting

Enterprise Risk Management(ERM)

ISACA- KAMPALA

5

24th April 2013

COSO-ERM Framework


6

Deloitte East Africa ERM Survey

1st Baseline survey on the state of ERM in the Financial Services

Industry(FSI)- Banking, Insurance, Securities, Real Estate and

Investment Management.

Implementation of ERM is fairly limited with only 31% of companies

surveyed having fully implemented ERM programme

23% had their Risk Appetite both quantitatively and Qualitatively

defined

Top rated challenges during ERM Implementation included; integrating

risk data across the organization(70%) and having the appropriate risk

management skills(64%) ISACA- KAMPALA 24th April 2013

7

Assessing Risk Maturity

Risk Maturity is the extent to which a robust RM approach has been adopted and applied as planned

Assessment of your Organization's Risk Maturity is a critical input in the effective implementation of ERM

It provides a baseline upon which the organization's risk assurance strategies and activities will be determined

Risk Maturity assessment is about understanding how well the business risks are being managed

It involves determining and obtaining the information necessary to carry out the assessment defining the methods of obtaining the information and getting evidence to substantiate the assessment.


8

9

Risk Maturity Levels

Risk AwareScattered silo based approach to RMScattered

Defined • Strategy,

policies in place, Risk Appetite defined

ManagedEnterprise approach to RM developed & communicated

EnabledRM & IC’s fully embedded into operations

Risk NaïveNo formal approach developed for RMN

ISACA-KAMPALA

ERM-Process Overview


10

Board/Executive Commitment& context setting

Risk Identification

Risk Assessment

Risk Response

Monitoring & Reporting

Drivers of ERM

ERM

Corporate Scandals and

Disasters

Regulatory Action; Laws

Industry Initiatives e.g

Standards

Best Practices-Control, Risk

Frameworks etc


11

1. Setting the Context for RM.

Senior Management plays a critical role in establishing and communicating the foundation against which RM decisions are to be taken throughout the business. The roles include:

Strategic direction and goals

Appetite for risk

Risk Management framework

Roles and responsibilities


12

RI- Methods RI-Tools

One to one interviews

Brainstorming

Round table discussions

Interactive Workshops

Questionnaires

SWOT Analysis

PESTLE Analysis

Scenario Planning

Stakeholder Analysis

2. Risk Identification(RI)

ISACA-KAMPALA

13

24th April 2013

How to Make RI Successful Effective RI Should be….

Get the right people involved

Brief them adequately Give them the right tools Think outside the box Have a meaningful

definition of risk(distinction between Risk and problem!)

Comprehensive Complete Honest Covering all relevant business

activities Entailing training and

awareness activities

Contd..

ISACA-KAMPALA

14

24th April 2013

Risk Register

The output of a risk identification process is the Risk Register. Its role is to: Capture all major business risks in one place So they can be compared, contrasted and combined So they are given the attention at the right level in the

organisationTypically, there could be multiple risk registers;

Corporate risks Divisional, country, functional risks Project risks etc


15

3. Assessing and Prioritizing Risks

The measures in place to control risk the effectiveness of controls The likelihood of risk occurrence The impact of risk if it did occur Significance of risk

Risk Significance is a product of the likelihood of occurrence and the impact if it did

Assessment scales are used to determine likelihood and impact Assessment scale levels depend on the organisation’s risk maturity ISACA- KAMPALA 24th April 2013

16

It involves ascertaining:

Contd…..Risk Assessment Scales(5-level)

Level Probability Descriptor

Probability of occurrence

Impact Descriptor

Impact

1Rare Very low(VL) Insignificant Very low(VL)

2Unlikely Low(L) Minor Low(L)

3Possible Moderate(M) Moderate Moderate(M)

4Likely High(H) Major High(H)

5Almost certain Very high(VH) Catastrophic(VH) Very high(VH)


17

Contd….Risk Map- 3 Level Risk Significance Scale

(High, Medium, Low)


18

Contd…..

The risk assessment matrix is a key way of establishing and communicating risk appetite

Risk Appetite: The amount of risk that an entity is willing to accept in pursuit of its mission.

It confirms what level of risk is acceptable and which risks are significant and should be reported upwards

Inherent risk Exposure before any controls

Residual risk Exposure after controls are in place and are operating ISACA- KAMPALA 24th April 2013

19

Risk Appetite

impact

Likelihood

Inherent Risk

Response

Residual Risk

Risk appetite

20


4. Risk Response

ImpactContingency Plans Manage actively

Review periodically Good house keeping

Likelihood

21


Risk Response Options-4 T’s

Risk response

Management

Transfer

Terminate

Treat

Passive Management

Tolerate

Response

Management options

Options (4 T’s)

2222

5. Monitoring and Reporting

The role of risk monitoring is:

To check that risk responses are in place and working as

intended

To check the risk status; no unwelcome surprises

To ensure risks are considered at the right level

Provide assurance to management that risks are being

managed in the way approved


23

ERM- Benefits

Business objectives more likely to be met Focus on issues or activities that count Fewer shocks and surprises Early warning of problems Effective use of resources More focused and viable strategies; informs future strategy

development Clarity on risk appetite and freedom to act Facilitates meaningful disclosure Enhanced organizational learning ISACA- KAMPALA 24th April 2013

24

ERM Implementation Challenges

Organizational silos and outdated information systems prevent many enterprises from adequately sharing information(silos vs Enterprise).

Risk Maturity. The extent to which robust RM approach has been adopted and applied.

Organizational culture. An organization that delivers only ‘good news’ results into poor quality decisions based on a ‘sanitized version of

reality’

Costs affect operations and investment decisions Misalignment of risk management strategy with the overall business

strategy Inadequate skills and competences in Risk Management


25

Contd…

Internal Control environment Risk Management philosophy and operating style Risk appetite Human resource policies and practices Assignment of authority and responsibility

Failure to strike a clear balance between the hard and soft sides of RM


26

Wayforward on ERM Implementation

Organizational review to ensure better structures, C-level Risk executives with visibility and oversight

Risk awareness across the organization Investment in modern information systems and technologies to

enhance information sharing and organizational learning Training, retention and sourcing of RM subject matter experts Determining and communicating the business appetite for risk Establish organizational risk and control policies( Risk Policy) Carry out risk maturity assessment as a baseline for ERM

implementation


27

Contd….

Balance between the hard and soft sides of RM

Seamlessly integrate RM thinking and practices into strategic planning and day to day activities of the organisation.

How ??? Risk Assess the strategic options Communicate risk appetite for key risks Establish Key Performance Indicators(KPIs) to track progress of

mitigation Include risk status reporting at Management and Board Levels Continuously check the business risk profile


28

ConclusionHow Competent is your Organization Vs Risk Appetite ?

Risk Taker

Gambler Winner

Risk Averse

Loser Also-Ran

Low Competence High Competence


29

implimenting enterprise risk management(erm); a process overview

Documents