and Risk Tolerance in an Effective ERM Program

(1)

The Roles of Risk Appetite The Roles of Risk Appetite and Risk Tolerance in an Effective ERM Program

Eric Gerner, Risk Advisory Services Director

Tuesday, July 10, 2012

Risk Appetite and Risk Tolerance in an Effective ERM Program

General Information

• Share the webinar

• Ask a question

• Votes (polling questions)

• Rate (before you leave)

• Attachments (you can download today’s presentation)

(2)

Earning CPE Credit

 To receive 1 CPE credit for this Webinar, participants must:

− Attend the Webinar for at least 50 minutes on individual computers

(one person per computer)

− Answer polling questions asked throughout the Webinar

Experis | Tuesday, July 10, 2012 3

Meet our Presenter

Eric Gerner, Director of Risk Advisory Services Eric Gerner@experis com

[email protected] (703) 336-8189

(3)

Agenda

• ERM Overview

• Overview of Risk Appetite and Tolerance

• Examples and Communication

• Alignment with Governance

What is Enterprise Risk Management (ERM)?

A structured and disciplined approach that supports the alignment of strategy processes people technology and knowledge as an of strategy, processes, people, technology and knowledge as an organization evaluates and manages the uncertainties it faces in order to attain its goals

• Aligns corporate goals with associated risks

• Reduce potential loss and increase potential gain

• Transparency for Board of Directors and Management

• Integrate into the operations of the business

(4)

Standard & Poor’s view of ERM

• An approach to assure the firm is attending to all risks

• A set of expectations among management, shareholders and the board about which risks the firm will and will not take

• A set of methods for avoiding situations that might result in losses that would be outside the firm’s tolerance

• A method to shift focus from “cost / benefit” to “risk / reward”

• A way to help fulfill a fundamental responsibility of a company’s board and senior management

g

• A toolkit for trimming excess risks and a system for intelligently selecting which risks need trimming

• A language for communicating the firm’s effort to maintain a manageable risk profile

Components of ERM

Goals and Objectives

Enterprise Risk Management

Language Governance Process

(5)

Risk Universe Structure at a Glance

Compliance Financial

RISK Categories

Operating Operating Operating Operating Units Units Corporate Level

Compliance Financial Strategic

Strategic

Operational

Compliance Financial Strategic Operational

Alignment of Appetite and Tolerance

Based on the organization’s risk appetite specific tolerances are applied to achieve objective as risk, threat and potential negative result are managed

Goals and objectives

Risk Appetite

Risk To lerance Risk To lerance Risk To lerance Risk To lerance

(6)

Polling Question #1

Which of the following is NOT a component of ERM:

A.

Aligns corporate goals with associated risks

B.

Reduce potential loss and increase potential gain

C.

Transparency for Board of Directors and Management

D.

A substitute for management’s judgment

E.

Integrate into the operations of the business

The ERM Maturity Model

• Leverage Risk

Committee to • Adjust from

“cost/benefit” to

• Develop internal buy-in and benefits

•• Develop Governance structure

• Develop Risk Universe and language

• Assign responsibility for respective risks

• Define Appetite and Tolerance

• Integrate into strategic initiatives

Committee to review risks and the effectiveness of risk mitigation

• Evaluate risk tolerances and policies / authorities

• Expand risk reporting

• Integrate risk based decisions into mgmt’s daily

cost/benefit to

“risk/reward”

decision process

• Leverage risk management to competitive advantages in the market

• Integrate continuous monitoring of

Experis | Tuesday, July 10, 2012

Timeline

12

and benefits awareness

• Perform Diagnostic of existing Risk Mngt program

• Execute a Risk Assessment

• Develop priorities from Assessment

• Align with senior leadership on the key risks

• Initiate risk reporting and monitoring

into mgmt s daily operations

• Integrate Internal Audit with ERM assessment and monitoring

key risk indicators into risk reporting

(7)

COSO Definition of Risk Appetite

The amount of risk on a broad level an organization

i illi t t i it f l It fl t

is willing to accept in pursuit of value. It reflects the entity’s risk management philosophy, and in turn influences the entity’s culture and operating style

Risk Appetite

• Tone at the top risk perspective, set by the Board of Directors

• Is strategic and is related to the pursuit of organizational objectives

• Boundaries within which the company is willing to operate

• Define the willingness to engage in business activities with the associated types of risks

• The nature of the control structure associated with the management of the associated risks

With thi id h ld h h d ti

• With this guidance, managers should have an enhanced perspective to interpret various high level and critical factors of risk to apply key business decisions

• Basis to apply judgment for the aggressiveness with which

to pursue activities and objectives

(8)

COSO Definition of Risk Tolerance

The acceptable level of variation relative to achievement of a specific objective and often is best measured in the of a specific objective, and often is best measured in the same units as those used to measure the related objective

Risk Tolerance

• The means to operationalize the risk appetite throughout the organization

• Provide clarity on management’s evaluation of its business activities and objectives towards its goals

• Tactical link of individual risks to the strategic goals

• Create the measureable components for monitoring the alignment of progress with the goals and objectives

• How do you determine them – what are the assumptions for the range of acceptable performance built into the corporate goals

acceptable performance built into the corporate goals

• Leading/lagging indicators

• Leverage from existing performance metrics

• Creates transparency for Board/Management monitoring

(9)

Three Steps to Risk Appetite and Tolerance

A. Develop B. Communicate C. Monitor and Update

A. Develop

• Provide effective communication of risk throughout the organization

• Applied to cover all categories of risk

• Must be preceded by discussions of strategy and objectives

• Develop through – Facilitated discussions

– Discussions related to objectives and strategies

– Development of performance models

(10)

Brand Erosion Business Model Communication

Operational Resource Strategic

Client/Partner Design

Constructability Plan Coordination

Adjustments Price Quantity

Financial Capital Availability Collectibility Interest Rate Change Order

Client Expectations Client Indecision

Estimating

Incentive Alignment Market Diversification Market Penetration Organization Structure Succession Execution

Process/Technology Scope Completeness

Business Interruption Change Order Management Environment Logistics Site Safety

Quantity Trade Coverage

Interest Rate Investment Evaluation Liquidity Surety Tax

People Adaptability Competencies Availability Critical Person Turnover

Information Accuracy Measurement Alignment Security/Control Technology Availability Ti li Client Indecision

Client Interferences Client Management Turnover Client Response Time Errors in Client Information New Client Selection Process

Legal Contract Types Dispute Management Employment Contractual Misinterpretations Non-Performance Terms and Conditions Third Party

Integrity Fraud Illegal Acts Procurement

Program Development Schedule

Available Bidding Time Completion Deadlines and Milestones Force Majeure Logic and Update Resource Management

Quality

Bondability Timeliness of Buy-Out Commodity C di ti

ERM – Strategies for Internal Audit 15 EXTERNAL RISKS

Timeliness Usefulness Control Testing

Warranty

Program Development Feasibility Needs Analysis Quality Coordination

Performance Sub Profile Workload

Regulatory Changes in Law Compliance

Environment Catastrophic Political Community Trade Labor Availability

Competitor Key Relationships Core Competencies

Market Demand

Goals: 1. Financial Targets 2. Market Mix/Penetration 3. Progress Towards Establishing Future Goals 4. Employee/Customer

B. Communicate – Risk Appetite Statement

• Means to communicate the company’s willingness to engage in risk:

Overall risk appetite with broad statements

–

Overall risk appetite with broad statements

–

Risk appetite for each major class of organizational goals

–

Risk appetite for different categories of risk

• Provide a lens through which all levels of management may obtain guidance on the willingness to accept the risks associated with business activities in which the company may engage to achieve our corporate goals and objectives

• A strategic statement and directly related to organizational objectives

• An integral part of corporate governance

• A guidance document regarding the allocation of resources

• A general directive on infrastructure/supporting activities in pursuit of

organizational objectives

(11)

Risk Appetite – Qualitative view

Universal

Risk Control Threshold Structure Risk Universe - Key Categories

Earnings volatility 4 5

Liquidity 3 4

Capital Requirements 1 2

Changing economic conditions 3 4

1 2

Customer satisfaction 1 2

Reputation 2 3

Information Security and accuracy 2 3

Regulatory Standing 1 2

Fraudulent/unethical activity 1 1

Employee turnover 3 4

Risk Appetite example

(12)

Risk Appetite example – Quantitative view

Capital Levels

The Compan ill accept risks to the e tent that it can maintain a capital le el of $ less The Company will accept risks to the extent that it can maintain a capital level of $___ less than each of the three well capitalized regulatory capital requirements for financial institutions.

Earnings Performance

The Company will accept risks to the extent that it can maintain a Return on Equity within the top quartile of its peers.

Liquidity

Th C t k ti iti ith t t li idit idi i k th t

The Company takes a conservative position with respect to liquidity, avoiding risks that may reduce its secured liquidity to less than $___ million.

Asset Quality

The Company will actively mitigate risks potentially leading to a net charge-off/total loans ratio exceeding __%.

Risk Appetite example – Quantitative view (continued)

Growth

The Compan is open to in estments and/or ne prod cts ha ing a potential rate of ret rn The Company is open to investments and/or new products having a potential rate of return of greater than __%, as long as there is low to moderate risk of loss during the first year of operation.

Compliance

The Company is committed to fulfilling all of its regulatory obligations, and will take all actions necessary to avoid any risk of non-compliance (zero tolerance).

Reputation

Th C d t t i k ith d t lik lih d f ti l

The Company does not accept any risks with even a moderate likelihood of creating loss

of public, customer, stakeholder or employee confidence and/or adverse media coverage.

(13)

C. Monitor and Update

• Means to review the application of risk appetite

• Accomplished through specifics identified with risk tolerances / performance metrics

• Incorporated into ERM reporting and dashboards

• Internal Audit can provide independent insight on the accuracy and alignment of tolerances

Polling Question #2

Which of the following is NOT a key component or Risk Appetite Which of the following is NOT a key component or Risk Appetite

A. Established by the Board of Directors

B. Can be communicated through a Risk Appetite Statement C. Can be either Qualitative or Quantitative

D. Should be similar between all companies within a given industry

(14)

Brand Erosion Business Model Communication

Operational Resource Strategic

Client/Partner Design

Constructability Plan Coordination

Adjustments Price Quantity

Financial Capital Availability Collectibility Interest Rate Change Order

Client Expectations Client Indecision

Estimating

Incentive Alignment Market Diversification Market Penetration Organization Structure Succession Execution

Process/Technology Scope Completeness

Business Interruption Change Order Management Environment Logistics Site Safety

Quantity Trade Coverage

Interest Rate Investment Evaluation Liquidity Surety Tax

People Adaptability Competencies Availability Critical Person Turnover

Information Accuracy Measurement Alignment Security/Control Technology Availability Ti li Client Indecision

Client Interferences Client Management Turnover Client Response Time Errors in Client Information New Client Selection Process

Legal Contract Types Dispute Management Employment Contractual Misinterpretations Non-Performance Terms and Conditions Third Party

Integrity Fraud Illegal Acts Procurement

Program Development Schedule

Available Bidding Time Completion Deadlines and Milestones Force Majeure Logic and Update Resource Management

Quality

Bondability Timeliness of Buy-Out Commodity C di ti

ERM – Strategies for Internal Audit 15 EXTERNAL RISKS

Timeliness Usefulness Control Testing

Warranty

Program Development Feasibility Needs Analysis Quality Coordination

Performance Sub Profile Workload

Regulatory Changes in Law Compliance

Environment Catastrophic Political Community Trade Labor Availability

Competitor Key Relationships Core Competencies

Market Demand

Goals: 1. Financial Targets 2. Market Mix/Penetration 3. Progress Towards Establishing Future Goals 4. Employee/Customer

Inherent Risk - Top 10 by Group

Risk Ranking S i &

Risk

Classification Risk Category Risk

Senior &

Other Senior Other

Resource Capital / Liquidity Capital access / availability / allocation 1 1 1

Resource Capital / Liquidity Liquidity 2 6 3

Resource People Morale / productivity 3 3 6

Resource Capital / Liquidity Secondary marketing 4 50 2

Operational Integrity Credit Policy Adherence 5 10 10

Strategic Strategic New business evaluation 6 7 13

Operational Integrity Tone at the Top 7 35 4

Strategic Strategic Cost control / budget discipline 8 5 18

Operational Deposit Base Management Attracting deposit accounts 9 34 5

Strategic Strategic Brand reputation / recognition 10 8 21

Strategic Strategic Media attention 24 13 29

External Regulatory Compliance Cooperation with regulators 41 31` 47

(15)

Tolerances example: Executive Risk Report

We would expect the audience

would include

Bonding Utilization Key Risk Indicators

would include executives such as:

• Board

• CEO

• COO

• CFO

• Senior managers

• Senior finance

Key Risk Indicators

Risks by Business Area

On Target Fundamental Value Trend

Change orders 12 Schedule delays 90

Customer mix 76

Unbonded subs 60

Labor productivity 55

“At Risk” project profits

Overall Customer Satisfaction

91%

42%

87%

82%

63%

0% 20% 40% 60% 80% 100%

1 2 3 4 Business Unit5

- 10 0 2 0 0 3 0 0 4 0 0 50 0

J a n- 0 1 Fe b- 0 1 M a r - 0 1 A pr - 0 1 M a y - 0 1

Safety Events By Geographical Region

11%

5%

16% 1

Bonding Utilization Versus Margin

0 5 10 15 20 25 30

1 2 3 4 5 6

Business Unit

Bonding

0%

2%

4%

6%

8%

Margin onBondedWork

• Senior finance managers

• Risk management

Staff turnover by Project/Dept

0.0 1.0 2.0 3.0 4.0 5.0 6.0 7.0 8.0

Jan-01 Feb-01 Mar-01 Apr-01 May-01 Jun-01

Staff Turnover % Front Office

Middle Office Operations Accounting IT

J a n 0 1 Fe b 0 1 M a r 0 1 A pr 0 1 M a y 0 1 5%

21%

47%

2 3 4 5

Sample Commentary

• Staff turnover continues to require new untested staff on key projects

• ABC project has change orders that exceed owner’s loan balance

• Employees say they don’t know how to use existing systems

• 30% of projects have negative float on critical path

• Financial reports from Division don’t tie to detail records

Governance – Key Risk Questions

Reporting

Execution

Strategy

Tolerance

• Is there a process for assessing risk and capabilities?

• Is Board advised of

“mission-critical”

risks?

• Is there a process for assessing risk and capabilities?

• Is Board advised of

“mission-critical”

risks?

• Is opportunity- seeking behavior balanced ith risk

• Is there a process for reporting risk and performance?

• Does the organization structure support risk reporting?

• Is there a process for reporting risk and performance?

• Does the organization structure support risk reporting?

• Are key uncertainties being managed?

• Are there assurances

• Are key uncertainties being managed?

• Are there assurances

Execution

and Policy

balanced with risk- taking?

• Are boundaries and limits adequately defined?

balanced with risk- taking?

• Are boundaries and limits adequately defined?

Are there assurances that our capabilities are effective?

• Is a risk-sensitive culture in place?

Are there assurances that our capabilities are effective?

• Is a risk-sensitive culture in place?

(16)

Applying the Governance

• Review risk policy, risk management structure , establish

Board of Directors

Risk Committee

(Or existing Management Committee)

risk appetite and tolerances

• Understand and oversee overall risk profile and risk management structure

• Approve risk strategies

• Oversight /Assessment of risk monitoring

• Approve/oversee risk tolerances, initiatives, strategies

• Delegate and oversee authority & accountability for specific risk management

• Coordinate overall risk reporting and monitoring

Risk Owners/Process

Owners

• Manage risks in accordance with tolerances and priorities

• Assist Risk Committee with risk reporting

• Primary responsibility for identifying, managing and monitoring risks within their delegated authority

Polling Question #3

Responsibility for Monitoring and the performance of the company against the respective risk tolerances belongs to:

A. The Board of Directors B. Senior Management C. Process Owners

D. Risk Owners

E. All of the above

(17)

Questions

Eric Gerner, Director of Risk Advisory Services

E i G @ i

[email protected] (703) 336-8189

www.experis.com

About Experis Finance

Experis™ Finance delivers innovative project solutions and professional resourcing services in the areas of and professional resourcing services in the areas of risk advisory, tax and finance & accounting