Enterprise Risk Management (ERM)
‘Integrated Framework’

IMPLEMENTATION
Building Capabilities
Taking A Process View


FUNDAMENTALS & ROLES
•
•
•
•
•
•
•

The Fundamentals
COSO Enterprise Risk Management
Role of Executive Management
Role of the Director
Role of the Chief Risk Officer
Risk Management Oversight Structure
Role of Internal Audit

2


IMPLEMENTATION
•
•

•
•
•
•
•
•

Risk Management Vision and Objectives
Conducting Risk Assessments
Getting Started – Set the Foundation
Building & Enhancing Capabilities
Building a Compelling Business Case
Making it Happen
Relevance to Sarbanes-Oxley Compliance
Other Questions

3


Building Capabilities
Taking A Process View
What steps does management take to build risk
management capabilities?
step one - assess risk and develop responses
step two - design and implement capabilities
step three - continuously improve capabilities

4



Building Capabilities
Taking A Process View

5


6


7


8


9


Building Capabilities
Taking A Process View
How does management decide on the appropriate risk
management capabilities?
judgment, culture and operating style
How does management improve the organization’s
risk assessments?
directing the necessary resources to support the
process

10



Building Capabilities
Taking A Process View
How are objective-setting, event identification and risk
assessment related?
“Objective-setting” occurs when management sets
strategic objectives  context for establishing
operational, reporting and compliance objectives
Future potential events are identified with specific
objectives in mind
Risk assessment occurs when management considers
qualitative and quantitative methods to evaluate the
probability and materiality of potential events
11


Building Capabilities
Taking A Process View
How important is risk assessment to the ERM effort?
needed to identify priority risks and to initiate a gap
analysis around the capabilities in place for
managing those risks
Unacceptable gaps relating basis for value proposition
of advancing an organization’s ERM infrastructure
provides quality inputs into risk response planning

12


Building Capabilities

Taking A Process View
What alternative risk responses are available to manage
risk?
avoid (eliminate the risk by preventing exposure to future
possible events from occurring)
accept (maintain the risk at its current level)
reduce (implement policies and procedures to lower the
risk to an acceptable level)
share (shift the risk to a financially capable, independent
counterparty)
Defer (decision)
13


Building Capabilities
Taking A Process View

14


Building Capabilities
Taking A Process View

15


Building Capabilities
Taking A Process View

16



Building Capabilities
Taking A Process View

17


Building Capabilities
Taking A Process View
Desirable Risks
core business model/normal future operations
can effectively measure and manage it
Desirable Risk Responses
Accept the risk at its present level
Reduce materiality (diversification) and/or
probability (control)
Share the risk with a financially capable 3rd parties
18


Building Capabilities
Taking A Process View
Undesirable Risks
off-strategy
offers unattractive rewards
can not measure or manage it
Undesirable Risk Responses

Avoid

Share

19


Building Capabilities
Taking A Process View
Accept can mean much more than merely retaining a risk
incurring internal charges to P&L
creating contingent sources of borrowed funds
reserving losses under generally accepted accounting principles
setting up a pure captive insurance company
participating in an associate captive
offset a risk against other risks within a well-defined pool
response may be a combination of options
control activities to reduce
share actions to lay off a portion of the residual risk
20


Building Capabilities
Taking A Process View
Exploiting risk - pursuit of opportunities - not ERM
Diversify financial, physical, customer, employee/supplier and
asset holdings
Expand the business portfolio by investing in new industries,
geographic areas and/or customer groups
Create new value-adding products, services and channels
Redesign the firm’s business model, i.e., its unique combination
of assets and technologies for creating value

Reorganize processes through restructuring, vertical
integration, outsourcing, re-engineering and relocation
21


Building Capabilities
Taking A Process View
Exploiting risk - pursuit of opportunities - not ERM
Allocation of capital (NPV)
Pricing products and services to influence customer choice
Renegotiate existing contractual agreements to reshape the risk
profile, i.e., transfer, reduce or take risk differently
Arbitrage price discrepancies by purchasing securities or other
assets in one market for immediate resale in another
Influence regulators, public opinion, law makers and standards
setters through focused lobbying, political activism, public
relations, etc.
22


Building Capabilities
Taking A Process View
What factors must management consider when evaluating
alternative risk responses?
Management’s objectives/strategies: ST tactics, MT strategies and
LT business objectives incorporating constraints
Risk and reward trade-offs
Risk management capabilities
Time horizon
Financing

Residual risk (never completely eliminated)
Inadvertent risk taking (response)
Risk manageability
23


Building Capabilities
Taking A Process View
Other factors to consider
costs and benefits
option value of waiting versus acting immediately
(defer)
effectiveness in achieving stated goals
interaction with other contemplated responses

24


Building Capabilities
Taking A Process View
Understand nature of potential events and the related effect
Business plan uncertainties (key variables and assumptions)
Business plan exposures to change in variables/assumptions
Performance variability versus loss exposures (only bad)
Scenarios (sensitivity analysis)
Controllable vs. non-controllable (internal/external)
Operational versus contractual (nature and duration)  ST
contractual protection vs. LT operationally focused strategies

25