Enterprise Risk Management (ERM)
‘Integrated Framework’
FUNDAMENTALS & ROLES
Roles & Oversight Structure


FUNDAMENTALS & ROLES
•
•
•
•
•
•
•

The Fundamentals
COSO Enterprise Risk Management
Role of Executive Management
Role of the Director
Role of the Chief Risk Officer
Risk Management Oversight Structure
Role of Internal Audit

2


IMPLEMENTATION
•
•
•
•

•
•
•
•

Risk Management Vision and Objectives
Conducting Risk Assessments
Getting Started – Set the Foundation
Building & Enhancing Capabilities
Building a Compelling Business Case
Making it Happen
Relevance to Sarbanes-Oxley Compliance
Other Questions

3


Role of Executive Management
Who should participate in the ERM process, and how?
best when all key managers of the organization
contribute (CRO, CFO, Legal & Audit)
“support the entity’s risk management philosophy,
promote compliance with its risk appetite and
manage risks within their spheres of responsibility
consistent with risk tolerances.”

4


Role of Executive Management

Must the CEO be fully engaged in the ERM process or system
for it to be successful, or can he or she delegate it to
someone else?
“CEO is ultimately responsible and should assume
ownership”
are there any unknown exposures to events that can
abruptly shift the organization’s agenda to “damage
control” in a heartbeat should they occur?
what can be done cost-effectively to prevent the potential
future events from happening and how will the
organization respond should the events occur?
5


Role of Executive Management
How will senior management benefit from supporting ERM
implementation?
6 in 10 senior executives lack high confidence that their
organization’s capabilities are identifying and managing
all potentially significant business risks
Enterprise wide approach to business risk management will
help executives meet the challenges they face by
improving the linkage of risk and opportunity during the
strategy-setting process and positioning risk management
as a differentiating skill in managing the business
6


Role of Executive Management
How should executive management evaluate ERM?

four categories of objectives
the extent of application (across the entity and its
divisions and business units)
eight components of ERM, as defined by the COSO
framework, provide the basis for that evaluation.

7


Role of Executive Management
What is the role of the CIO in an ERM environment?
overall governance issues relating to the IT operations
processes impacting IT
various application and data owners
need to eliminate gaps and overlaps in the ownership
of IT-related risks

8


Role of Executive Management
What is the role of the treasury and insurance in an
ERM environment?
physical and financial assets on the balance sheet
prospects for expected future cash flows from core
business activities
various contractual obligations of the enterprise,
among other things

9



Role of Executive Management
Enterprise wide view
those closest to the risks must be directly engaged in the
management of the risks
assume primary responsibility to decide, design and monitor
or secondary responsibility to build and execute (according
to the design)
treasuries and insurable risk management functions are
taking a broader, more strategic view of the business,
leading their organizations to a more formal and
systematic approach to managing operational and other
business risks
10


Role of Executive Management
Does ERM require reporting to executive
management? If so, what types of reports are most
suitable for executive management?
Information and communication – reporting drives
transparency about risk and risk management
throughout the organization to enable risk
assessment, execution of risk responses and control
activities as well as monitoring of performance
dashboard or scorecard reporting
11



Role of Executive Management
enterprise’s risks, broken down by operating unit, geographic
location, product group, etc
existing gaps in the capabilities for managing the priority risks
top and worst performing investments and reasons why
report of emerging issues or risks that warrant immediate attention
sensitivity of existing portfolio positions to market rate changes
beyond specified limits - exposure of earnings or cash flow to
severe losses
impact of changes in other key variables beyond management’s
control (e.g., inflation, weather, competitor acts and supplier
performance levels) on earnings, cash flow, capital and the
business plan
12


Role of Executive Management
Operational risk reports summarizing exceptions that have
occurred versus policies or established limits (i.e., limit
breaches), including any significant breakdowns, errors,
accidents, incidents, losses (as well as lost opportunities) or
“close calls” and “near misses.”
specific events or anticipated concerns that could “stop the show.”
For example, what is our Latin American or Asian exposure?
significant findings of business process audits performed by
internal audit or reviews conducted by other independent
parties such as the organization’s regulators
status of improvement initiatives. Are planned improvement
initiatives on track? If not, why?
13



Role of the Director
How are ERM and governance related?
Governance is the process by which directors oversee the
decisions and actions of executive management in a
constructive manner, consistent with applicable laws and
regulations, as management formulates and executes
strategies to accomplish enterprise objectives
Top performers will be those that best understand their risks
and align their risk taking with what they do best
Management can use guidance and input from savvy,
experienced directors as they work to achieve this
objective
14


Role of the Director
Why should directors be concerned about whether
their companies implement ERM?
shortfall of knowledge about the current and future
strategy of their companies
certain lack of confidence in management
desire to assume a more active overall role
15


Role of the Director
What are your critical risks to the execution of the
business model and strategy? How do you know?

How are you managing the critical risks? Are the risks
undertaken consistent with the organization’s risk
appetite? How do you know?
When there are significant changes in the underlying
risks the organization faces, are you informing the
board in a timely manner?
16


Role of the Director
How should the audit committee view ERM?
focus to public and financial reporting risks
must discuss management’s policies with respect to
risk assessment and risk management
ERM process provides fresh insight as to new and
emerging risks for timely action and possible
disclosure

17


Role of the Director
organization’s exposure to potential future events (e.g.,
catastrophic losses, fraud, illegal acts, litigation, etc.) which
could impact its brand image and reputation
management’s assessment of financial reporting risks and ask
the external auditors if they concur with that assessment
soft spots relating to financial reporting that give rise to
significant risks, e.g., the reserves, contingencies, valuations,
computations and disclosure areas requiring significant

judgment
extent of self-assessment and entity-level and process-level
monitoring in place to manage financial reporting risk
18


Role of the Director
internal auditor’s assessment of risk and the audit plan based on
that assessment
whether there are managers responsible for identifying,
assessing, managing and monitoring critical risks, and whether
the committee should meet from time to time with those
managers to discuss the implications of their activities for
public and financial reporting
results of management’s enterprise risk assessments and the
implications to public and financial reporting
Other board committees, such as the finance committee or a
designated risk committee, may emphasize other business risks
through their respective activities
19


Role of the Director
How should the board exercise oversight of ERM
implementation?
discuss with senior management the state of the
entity’s enterprise risk management
provide oversight as needed
ensure it is apprised of the most significant risks &
actions management is taking

how it is ensuring effective enterprise risk
management
20


Role of the Director
Board should satisfy itself that
Growth and innovation are encouraged and rewarded
without creating unacceptable exposure to risk
risk appetite inherent in the organization’s opportunityseeking behavior in developing new products and
new markets is clarified, understood and managed
Defined boundaries and limits clearly exclude behaviors
and actions that are off-strategy and unacceptable

21


Role of the Director
Board should satisfy itself that
Performance measures and targets do not encourage
excessively risky behavior
An enterprise wide view, rather than a narrower unit
or functional view, is taken when selecting
strategies to optimize risk and reward for the
enterprise as a whole
Effective internal controls and checks and balances are
in place in high-risk areas
22



Role of the Director
Strategy
Does management involve the board in a timely fashion during the strategy
formulation process and discuss management’s risk appetite?
Does management involve the board when making decisions to accept or reject
significant risks?
Are the critical risks inherent in the organization’s business model fully
understood and managed by personnel with the requisite knowledge, skills,
tools and information? How do you know?
Does the board understand the priority business risks and how those risks are
addressed?
Are the company’s key risks on a list? Is the list current?
Is there sufficient time during board meetings to discuss the key risks and
whether there are significant gaps in the capabilities for managing those
risks?
23


Role of the Director
Policy
How does management encourage and reward growth and
innovation without creating unacceptable exposure to risk?
For example, are there defined boundaries and limits that
clearly specify behaviors that are off-strategy and off-limits?
Are the entrepreneurial activities and the control activities of
the business in balance so that neither is too
disproportionately strong relative to the other? Are the risks
inherent in opportunity-seeking behavior understood and
managed? How do you know?


24


Role of the Director
Execution
Does management understand the uncertainties inherent in its
strategies for achieving business objectives and performance
goals? How do you know?
Are there adequate assurances that risk responses and the
related control activities and information and communication
processes are operating effectively? How do you know?
Are effective contingency plans in place to respond in the event
of a crisis? How do you know?
Is there an early warning system or executive team dashboard
for “mission-critical” risks?
25