cbiz risk & advisory services - chapters site - erm leveraging information and...cbiz risk &...
TRANSCRIPT
CBIZ Risk & Advisory Services | 1
CBIZ Risk & Advisory ServicesAgile. Experienced. Efficient.ERM: Leveraging Information and Technology
May 2019
CBIZ Risk & Advisory Services | 2
Introduction
SONYA GOLDENCBIZ Risk & Advisory ServicesDesignationsCertified Internal Controls Auditor
Specialties Enterprise Risk Management
(ERM) Internal Audit Quality Assurance &
Improvement Programs (QAIP)
Sarbanes-Oxley FASB, GAAP Disclosures SEC Reporting IIA International Standards
for the Professional Practice
Senior Manager in the national Risk & Advisory Services practice forCBIZ, Inc. with over 20 years of experience working with professionalservices, financial services, governmental and manufacturing clients.
Recently, she led an initiative to create a customized solution toleverage technology and improve the overall accuracy and reliabilityof fraud and internal control risk assessments at one of CBIZ’s largestclients. Sonya has also assisted clients in conducting all phases ofrisk management, regulatory compliance, financial and operationalaudits, including, but not limited to interviews, walk-throughs,preparation of narratives and flowcharts, planning, identification andtesting of controls and reporting.
Sonya currently serves as the enterprise risk management projectlead for CBIZ’s largest internal audit outsource client.
CBIZ Risk & Advisory Services | 3
Topics Covered
Understanding Enterprise Risk Management (ERM)
Strategic Value of ERM
Framework Components & Principles
Data – Big, Small and everything in between
Information, Communication, and Reporting
Leveraging Technology and Data
Key Takeaways
CBIZ Risk & Advisory Services | 4
Understanding Enterprise Risk Management
Boards and executive management of companies that aspire to be resilient in the face of change must keep in mind:
ERM is defined many different ways by many different standards, frameworks, and disciplines across the globe
ERM sets out a basic conceptual structure of ideas which an organization integrates into other practices occurring within the entity
ERM frameworks, models, and components will vary by legal structure, size, industry, and geography, etc.
ERM uses a common methodology which provides a basis for continuous improvement, rationalization, and integrated reporting
ERM is expected to follow a path of increasingly organized and systematically more mature processes
CBIZ Risk & Advisory Services | 5
Underlying principles
Every entity exists to realize value for its stakeholders.
Value is created, preserved, or eroded by management
decisions in all activities, from setting strategy to operating
the enterprise day-to-day.
ERM supports value creation by enabling management to:
Deal effectively with potential future events that create
uncertainty.
Respond in a manner that reduces the likelihood of downside outcomes and
increases the upside.
Understanding Enterprise Risk Management
CBIZ Risk & Advisory Services | 6
Understanding Enterprise Risk Management
Enterprise risk management (ERM) is defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) as:
The culture, capabilities, and practices, integrated with strategy-setting and its execution, that organizations rely on to manage risk in creating, preserving, and realizing value.
CPR
What is Enterprise Risk Management?
CBIZ Risk & Advisory Services | 7
Strategic ValueBenefits of integrating ERM include the ability to:
Increase the range of opportunities
Identify and mange company-wide risks.
Reduce surprises and losses
Reduce performance variability
Improve resource deployment
Anticipate, identify, adapt, and respond to change
CBIZ Risk & Advisory Services | 8
There are several ERM frameworks or models available to help organizations integrate risk.
International Organization for Standards (ISO) 31000: Risk Management –Principles and Guidelines
United Kingdom’s Orange Book, Management of Risk – Principles and Concepts Open Compliance and Ethics Group (OCEG) Red Book 2.0 – GRC Capability
Model Federation of European Risk Management Associations (FERMA) British Standards (BS) 31100: Code of Practice for Risk Management
Framework Components & Principles
CBIZ Risk & Advisory Services | 9
COSO ERM Integrated FrameworkCOSO
Integrating with Strategy and Performance
An entity’s internal environment can be viewed in the context of three categories:
1. Mission, Vision and Core Values 2. Strategy and Business
Objectives3. Enhance Performance
The five components and principles of the framework are interrelated and considers activities at all levels of the organization:
1. Governance and Culture2. Strategy and Objective-Setting3. Performance4. Review and Revision5. Information, Communication, and
Reporting
The ERM framework defines essential components, concepts, and a common ERM language.
CBIZ Risk & Advisory Services | 10
Best practice in ERM implementations has been to utilize a Top-Down / Bottom-Up Risk Based Approach. This approach recognize the importance of buy-in at all levels
1. Top-down. Senior management and/or directors select indicators to monitor across the business. Typically the most effective approach for strategic-level KRIs. Top-down KRIs can facilitate aggregation and management understanding in the context of top-level strategy and business objectives.
2. Bottom-up. The business entity or process manager selects and monitors the indicators they see as relevant within their operational processes. Ensures business entity managers select indicators most relevant to the actual operational objectives of their entity and processes.
Minimize exposure to loan defaults
Geographic concentration of the
institution’s loan portfolio
Percentage of outstanding capital in active loans in
the largest geography
Maximum loan concentration in a single geography
should be XX?
Real-time
SET KEYTHRESHOLDS
MONITORINGFREQUENCY
ESTABLISHKRI
DEFINE SOURCES OF
RISK
BUSINESSOBJECTIVE
Framework Components & Principles
CBIZ Risk & Advisory Services | 11
Demand shortfallsCustomer losses/problems
M&A problemsPricing pressures
Product/services competitionProduct problems
RegulationR&D
Management changeCorporate governance
Miscommunication/false guidance
Earnings shortfallCost overruns
Poor operating controlsAccounting problemsCapacity problems
Supply-chain issuesEmployee issues and fraud
NoncomplianceHigh input costs
IT securitySupplier losses
Poor financial strategiesAsset losses
Goodwill and amortizationLiquidity crises
High debt and interest rates
Declining commodity pricesRating impactsIndustry crises
Legal risksCountry economic issues
Weather lossesPartner lossesPolitical issues
TerrorismForeign economic issues
STRATEGIC RISKS OPERATIONAL RISKS
FINANCIAL RISKS EXTERNAL RISKS
Framework Components & Principles
CBIZ Risk & Advisory Services | 12
Monitor and Review
Communicate and Consult
Business Context
Identify the Risks
Analyze the Risks
Evaluatethe Risks
Treat the Risks
• Internal Context• External Context• Risk Mgmt. context• Develop criteria• Define the structure
• What can happen?• When and where?• How and why?
• Determine existing controls
• Determine probability and consequences
• Estimate level of risk• What will this mean
for our objective?
• Compare against criteria
• Set priorities
• Identify options• Assess options• Prepare and
implement treatment plan
• Analyze and evaluate residual risk
To be relevant and impactful, a risk assessment process cannot merely be a checklist, rather it must provide a clear view of variables to which an organization may be exposed, whether internal or external, retrospective or forward-looking.
Framework Components & Principles
TreatRisks?
Yes
No
CBIZ Risk & Advisory Services | 13
Identify Risks
Develop Assessment
CriteriaAssess Risks Assess Risk
InteractionsPrioritize
RisksRespond to
Risks
Risk Assessment Process
The first activity within the risk assessment process is to develop a common set of assessment criteria to be deployed across business units, corporate functions, and large capital projects. Risks and opportunities are typically assessed in terms of impact and likelihood. Many enterprises recognize the utility of evaluating risk along additional dimensions such as vulnerability and speed of onset.
DEVELOP ASSESSMENT CRITERIA
Develop Assessment Scales- Create Consistency
Standardized Scale Impact Assessment Criteria
- Rate, Describe, Define Likelihood Vulnerability (susceptibility) Speed of Onset
Assess Risks
Framework Components & Principles
CBIZ Risk & Advisory Services | 14
Identify Risks
Develop Assessment
CriteriaAssess Risks Assess Risk
InteractionsPrioritize
RisksRespond to
Risks
Assessing risks consists of assigning values to each risk and opportunity using the defined criteria. This may be accomplished in two stages where an initial screening of the risks is performed using qualitative techniques followed by a more quantitative analysis of the most important risks.
ASSESS RISKS
Qualitative Analyses- Analysis of Existing Data- Interviews & Workshops- Surveys- Benchmarking
Quantitative Analytics- Scenario Analysis- Causal At-Risk Models
- Gross Margin- Cash Flow
Assess Risks
Risk Assessment ProcessFramework Components & Principles
CBIZ Risk & Advisory Services | 15
Identify Risks
Develop Assessment
CriteriaAssess Risks Assess Risk
InteractionsPrioritize
RisksRespond to
Risks
Risks do not exist in isolation. Enterprises have come to recognize the importance of managing risk interactions. Even seemingly insignificant risks on their own have the potential, as they interact with other events and conditions, to cause great damage or create significant opportunity. Therefore, enterprises are gravitating toward an integrated or holistic view of risks using techniques such as risk interaction matrices, bow-tie diagrams, and aggregated probability distributions.
Risk Interaction Map Fault/Event Tree or Bow Tie Diagram
Assess Risks
ASSESS RISK INTERACTIONS
Risk Assessment ProcessFramework Components & Principles
CBIZ Risk & Advisory Services | 16
Identify Risks
Develop Assessment
CriteriaAssess Risks Assess Risk
InteractionsPrioritize
RisksRespond to
RisksIdentify
RisksDevelop
Assessment Criteria
Assess Risks Assess Risk Interactions
Prioritize Risks
Respond to Risks
Risk prioritization is the process of determining risk management priorities by comparing the level of risk against predetermined target risk levels and tolerance thresholds. Risk is viewed not just in terms of financial impact and probability,but also subjective criteria such as health and safety impact, reputational impact, vulnerability, and speed of onset.
Risk Hierarchies Opportunity Risk/Heatmap
Assess Risks
PRIORITIZE RISKS
Risk Assessment ProcessFramework Components & Principles
CBIZ Risk & Advisory Services | 17
Information, Communication, and Reporting
What’s worth monitoring?
Organizations must consider what information is available to management, what information systems and technology are in use for capturing that information
While all data is important, predictive data can provide the most significant and tangible benefits. As businesses collect more predictive data, they can project specific business outcomes and make more informed business decisions further into the future
Regardless of industry, management must have open and effective communication channels that address all aspects of the organization, including risk, culture, and strategic performance
The organization reporting requirements (frequency, type, source (internal/external)) vary by report user, but it is critical that the focus of reporting be the link between strategy, business objectives, risk, and performance.
CBIZ Risk & Advisory Services | 18
Data – Big, Small and everything in between
Too much data can be overwhelming. Too little, and you’re not going to gain any insight or could be missing critical information.
Advances in cognitive computing, such as artificial intelligence, data mining, and machine learning can collect, convert, and analyze large volumes of unstructured data into information that helps organizations to make better business decisions
The key is not just to gather data, but to leverage it with analysis and insight. This often requires experts from multiple disciplines to work together to peel back multiple layers of data and insight
It is important that organizations provide the right information, in the right form, at the right level of detail, to the right people, at the right time – relevant, reliable, and timely
Management must not blindly accept the outcome of data models; instead, transformed data should be combined with human, including a willingness to challenge any assumptions underlying the strategy and business objectives
CBIZ Risk & Advisory Services | 19
Leveraging Technology and Data
The key is not just to gather data, but to leverage it with analysis and insight.
Technology can also introduce new risks to an entity, which can be critical to achieving strategy and business objectives
By building a strategic technology road map, an organization can properly align business goals with technology initiatives to help drive those objectives
Part of that road map should include effective risk management and mitigation processes and controls to ensure the technological advancements are not offset by data security setbacks and breaches, and maximum enterprise value is delivered to the organization
Connect the dots - use information to anticipate situations that may get in the way of achieving strategy and business objectives
CBIZ Risk & Advisory Services | 20
Key Takeaways
The first and arguably most important is gaining buy-in from your executive team:
Understand what your stakeholders care about and how they define success. Plan for the barriers you may face along the way
Identify the right people, departments, and tools that you need to get the job done
Determine which data is ripe for analysis, whether they be new areas to review or integrated within your existing program
Establish frequent, consistent reviews of your program so it remains relevant and accounts for future growth
Keep it simple – An overly complex model provides significant challenges to implementation and on-going execution
CBIZ Risk & Advisory Services | 21
Summary
Having an understanding of the overall ERM process, as well as your organization, can facilitate the integration of ERM into all levels to support strategic decision-making within your organization
ERM is not a single point in time; instead, a comprehensive plan includes continual improvement and monitoring, employee education, having the right systems and performing the right tests
Having a function that collects, connects, interprets and focuses on enterprise data for the leaders in the organization is critical to improving performance
Leveraging technology to help identify, collecting, analyze and evaluate data is critical for success ─ to remain competitive, innovative and grow the business
Enhanced data analytics capabilities enable informed decision-making, a better customer and employee experience, and delivers deep insights across the organization