Developments Advanced in Risk Analysis and Risk Management

Report
Developments Advanced in
Risk Analysis and Risk Management
Lori Brown, Seton Hall University
Robert Roach, New York University
Jean Demchak, Marsh
Program Speakers:
Lori Brown
Director of Compliance
& Risk Management
Seton Hall University
South Orange, NJ
Jean Demchak
Managing Director
Global Education Leader
Marsh, Inc.
New York, NY
Robert F. Roach
Chief Compliance Officer
New York University
New York, NY
“It wasn’t the risk we knew about that
concerned us, but the risks we were
unaware of that worried us the most”
Chris McAlary, VP Finance,
Mount St Mary’s College
Program Overview
1. Trends in risk management and impact of ERM on
credit ratings.
2. Developing an Institutional ERM program.
3. Practical Risk Management tools for Compliance
and ERM programs
Risk: Upside and Downside
All organizations face internal and external
factors that make it uncertain whether and
when they will meet their objectives.
The effect of this uncertainty on achieving
objectives is called risk.
Risk Management in Application
Risk Management principles can be applied to any type of
risk, whatever its nature, whether having positive or
negative consequences.
Compliance Programs:
Use Risk Management principles to help identify,
assess, evaluate, and treat ethical and regulatory risks.
Enterprise Risk Management (ERM):
Is a coordinated program applied throughout the
life of an organization and to a wide range of activities,
including strategies and decisions, operations, processes,
functions, projects, and services.
Risk Assessment and Management Process
1.
Organizational Context: What are your organization’s objectives, structure and
operations?
2.
Risk Identification: What are the possible risk events your organization faces?
3.
Risk Assessment:
o What is the likelihood of the risk event happening?
o What is the potential impact of the risk event?
4.
Risk Evaluation: Having assessed the risks:
o What is your organizations “appetite” for risk?
o what are the most important risks to address?
5.
Risk Treatment: What steps must be taken to mitigate the risks Identified?
6.
Monitoring, Review and Corrective Action,
o Are internal controls working effectively to mitigate risk?
o Is there any corrective action needed?
7.
Communication: Throughout the Organization
Simple Risk Assessment Diagram
Identified Risks
Conflicts of Interest
Medicare/Medicaid
Billing
Time and Effort
Reporting
Tax Exempt Bonds
Executive Compensation
Record Retention
Export Controls
EEO/AA Laws
Risk Evaluation
Having assessed the risks:
o What are the most important risks to address?
o What is your organizations “appetite” for risk?
Risk Response
• Avoidance
• Reduction/Mitigation (Internal Controls)
• Sharing (e.g. Insurance)
• Acceptance
o Crisis Management Plans
o Business Continuity Plans
o Other Operational Plans
Control Activities
•Organizational/Process Controls
o E.g. Separation of Duties
•Documentation
o Written Policies and Procedures Essential
•Training
•Audit Trails
o Final Results should be traceable back to originating transactions
•Security and Integrity
o Access Controls
Strategic Risk Management: Expectations and Opportunities
Areas where senior management’s expectations of risk
management have grown
Integrate with operations
Execute day-to-day RM activities
efficiently
Improve quantification/analysis
Understanding of non-insurable risks
Increase involvement in strategic planning
Lead ERM activities
Work with lower headcount
Serve on RM committee
Risk Manager
C-Suite
Increase use of technology
Understanding of RM ROI
Finance
Source: Excellence in Risk Management VIII
25%
50%
Strategic Risk Management:
Expectations and Opportunities
Key performance indicators (KPIs)
20%
Manage RM value through TCOR
Competitive procurement of risk transfer
15%
Financial measures for retained/insured
exposures
15%
13%
Insurance budget management
Mitigate liabilities/support preparedness
Align RM objectives with company risk tolerance
RM alignment with company goals
7%
6%
5%
Build strategic risk awareness across
4%
organization
Deliver successful claim results 3%
Compliance 3%
Source: Excellence in Risk Management VIII
Primary KPIs
Secondary KPIs
Tertiary KPIs
Strategic Risk Management: Expectations and
Opportunities
Effectiveness of risk committees
How effective are crossfunctional risk committees?
How could your firm’s cross-functional risk
committee become more effective?
Consider risks more
strategically
8%
30%
62%
Very effective
Somewhat effective
Not effective
Source: Excellence in Risk Management VIII
55%
Disseminate information
more widely
Increase visibility of senior
management support
Use a wider range
of analytics
Engage senior
management to
communicate support
44%
36%
36%
30%
Strategic Risk Management: Expectations and Opportunities
Primary focus areas for developing RM capabilities
53%
56%
Strengthen ERM
45%
52%
52%
Training/education
62%
Technology upgrades
35%
36%
41%
Current employees
32%
39%
42%
20%
19%
Restructure insurance programs
29%
Source: Excellence in Risk Management VIII
2011
2010
2009
Strategic Risk Management: Expectations and Opportunities
Barriers to senior management’s understanding
of the risk landscape
42%
Siloed approaches to RM
Lack of awareness of ERM concepts
39%
34%
Organizational structure
Inadequate RM representation at
Board/C-suite level
31%
Lack of relevant risk data
31%
Inadequate link to strategies
27%
Demonstrating value of ERM
27%
Source: Excellence in Risk Management VIII
Strategic Risk Management: Expectations and Opportunities
Top Ten Risks
Risk Managers
Rank
(Readiness*)
C-suite Rank
(Readiness*)
Finance Rank
(Readiness*)
1 Economic conditions
1 (30%)
1 (26%)
5 (31%)
2 Business disruption
2 (76%)
3 (58%)
1 (63%)
3 Reg. /Compliance
3 (60%)
5 (59%)
3 (62%)
4 Legal or reg. shifts
4 (44%)
2 (47%)
6 (53%)
5 Litigation or claims
6 (70%)
5 (63%)
9 (56%)
6 Tech. / systems failure
7 (63%)
11 (65%)
3 (60%)
7 Brand / reputation
5 (44%)
8 (51%)
12 (35%)
8 Data sec. / breach
9 (65%)
7 (60%)
8 (53%)
9 Physical resources
8 (80%)
20 (61%)
2 (73%)
10 Business continuity
10 (67%)
13 (64%)
17 (58%)
`
Company’s Top Risks
* Percent of respondents with management plan in place or recent review undertaken of the risk
Source: Excellence in Risk Management VIII
What is ERM
And Why Does it Matter to
Higher Education?
Definition of Enterprise Risk Management (ERM)
A structured, consistent, and continuous risk management process
applied across the entire organization that brings value by:
1. Proactively identifying, assessing, and prioritizing material
risks
2. Developing and deploying effective mitigation strategies
3. Aligning with strategic objectives and administrative
processes
4. Embedding key components into the organization’s culture:
1. Risk ownership, governance, and oversight
2. Reporting and communications
3. Leveraging technology and tools
5. S&P incorporating ERM reference into industry credit rating
reports
The Four Quadrants of Risk
Sample Enterprise Risk Issues in
Higher Education
Higher education Enterprise risk inventory 1
Students
•
•
•
•
•
•
•
•
•
•
Student satisfaction/preferences
Inter-class relations
Housing
Athletics
Admissions policy
Recruitment
Retention
Greek life/Student life
Student welfare
Student judiciary
Teaching and
Student Life
Faculty
•
•
•
•
•
•
•
Attract and retain faculty
Tenure policies
Curricula/program design
Research & development
Intellectual property
Fraudulent research
Fraudulent credentials
External
Stakeholders
Alumni
•
•
•
•
• Alumni relations
• Endowment
• Donations
Research & development programs
Athletic rankings
Human Capital
Employment
practices

Faculty/tenure
succession planning

Tuition rates/
tuition stability

Cost of capital/
interest rate fluctuations


Conflict of interest

Employee fraud


Athletics
Business
interruption

Field courses
Student activities

Reputation/
branding
 Marketing

Foreign expansion
Admissions policy

Availability
Privacy



Visitors and contractors



Finance
Integrity
Process


Strategy
Information
Technology

Environmental
Health/Safety

External
Access
Environmental
compliance
 Demographics
Corporate/institutional alliances
Community outreach
Endowment
Donations



Performance
incentives

Expansion capital

Brand/reputation
Academic rankings
Employee
stress/ burnout

Compensation
Unionization

Workforce
productivity


Hiring and
retention
Pension fund
Claim reserve
liability

Risk financing

Litigation

Endowment


Illegal acts

Management
fraud

Third party fraud

Unauthorized
acts
Faculty bookings
Infrastructural renewal
and capacity

Regulatory
compliance

Failure to educate
Licensing

Vendor alliances
Contract commitment
Product and delivery
model
 Outsourcing

Corporate/
institutional
alliances

Planning
Intellectual
property


Data integrity

e-Commerce

Relevance
Reliability
Ethical decisionmaking

Technological
capacity

Illness/injury to faculty,
students or staff

 Competition
Natural
hazards
 Economy



Campus security

Resource
allocation
 Technology transfer
Infrastructure
Internet security



Special events


Student/faculty
travel
 Social responsibility
This inventory does not capture the risks associated with a university medical center
1
Copyright © 2006 Mercer Oliver Wyman
NYC-MOW171ERC-027
16
ERM Compliance Factors: Commentary
• Compliance and ethics oversight has traditionally been
the responsibility of an institution’s legal department
• Risk management procedures of institutions are under
increasing regulatory and private scrutiny
• There has been a shift from a defensive function
focused on policies, procedures and expenditures, to a
strategic function focused on optimizing resource
allocation and effectiveness
• Recent mandates and guidelines are fueling the
momentum
ERM Compliance Factors: Current and
Emerging Standards and Guidelines
GUIDELINES & BEST PRACTICES:
• Committee of Sponsoring Organizations of the
Treadway Commission’s (COSO) ERM Framework
• Standard & Poor's (S&P) ERM Ratings Criteria for NonFinancial Organizations
• ISO31000
EMERGING REGULATIONS & GUIDELINES:
• Accreditation requirements?
ERM Guidelines and Best Practices:
Overview of S&P’s ERM Ratings Criteria
Culture
 Organizational
structure
 Risk management
staff roles and
accountability
 Risk
communication
(internal and
external)
Emerging Risk
Preparation
Strategic Risk
Management
 Risk limit
application and
enforcement
 Environmental
scanning,
trending, stress
testing,
contingency
planning and other
pre-loss practices
 Utilization of risk
management and
return on risk in
strategic decision
making
 Risk control
processes—
policies,
infrastructure,
methodology (PIM)
 Expectation
planning for
negative events
pre and post-loss
performance
Risk Controls
 Risk identification,
measurement and
monitoring
 Sector and firmspecific risk
control criteria
 Risk consideration
within capital
budgeting and
allocation,
performance
measurement and
other
administrative
practices
ERM Guidelines and Best Practices: ISO 31000
6.3 Establishing the
context
6.4 Risk Assessment
6.4.2. Risk
Identification
6.2
Communication
& Consultation
6.4.3. Risk analysis
6.4.4 Risk evaluation
6.5 Risk treatment
Source: International Organization for Standardization
6.6
Monitoring &
Review
• ISO 31000 Risk Management
Standard follows the Australian
/ New Zealand Standard
• Released in late 2009
• No current certification
standard, but it may follow
ERM Compliance Factors:
Common Elements of ERM Frameworks
• They outline a process for ERM implementation that includes:
– Risk identification and assessment
– Risk prioritization
– Risk solution design and implementation
– Routine monitoring and reporting
– Communication
• They recognize that good risk management must be embedded into the
organization’s day to day activities
• They consider both the ‘upside’ and ‘downside’ of risk
• They are not one size fits all
How to Initiate an ERM
Program
Building Senior-Level Support
• Elements of an ERM Value Proposition:
– Optimal capital deployment
– Continued or improved rating agency confidence
– Effective critical event response
– Better decision making relative to risks assumed
– Enhanced stewardship and governance
Developing the Team/Structure
Risk
Reports
Board of Trustees
President/Senior Leadership
Internal audit
Risk Management Committee
Risk
Reports
Provost
Finance/
Legal/
HR
Select
Deans
Ext
Affairs
Risk
Mgr
?
RM
Compliance
Audit
ERM functional representation, risk management activity support and shared services
College
A
College
B
College
C
Dept A
Dept B
Risk information and root data, issues management
Dept C
Understanding Where You Want to Go…
Critical success factors
• Establish the right vision and realistic plan
• Obtain senior leadership buy-in and direction
• Align with mission and strategic objectives
• Attack silos at the onset
• Set objectives / performance / early warning indicators
• Stay focused on results
• Communicate vision and key outcomes
• Develop a sustainable process vs. a one-time a project
…Then Making It Happen
1
2
3
Envision the
Future State
Assess the
Current State



Risk Identification,
Assessment &
Prioritization
Risk Mitigation &
Controls
Risk Management
Infrastructure

Governance &
Accountability
Implement
ERM

Implement Risk Solutions

ERM Integration with:

Reporting
 Routine Processes

Strategy
 Strategic Plan

Policies, Processes
& Procedures
 Organizational
Culture

Technology &
Systems

Culture
Link to Strategy and Stakeholder Value
HIGH
Keep in Mind ERM is a Journey - Not a
Destination
Value Creation &
Risk Optimization
Risk Management
Integration
Enterprise Risk
Awareness
Risk Specialization
• Isolated and independent
risk management
activities,
• Limited focus on the
linkage between
enterprise-wide risks and
strategies
• Adopt an ERM framework
• Assign executive
ownership of risk
management
• Conduct routine risk
assessments
• Implement a fully
integrated ERM structure
based on a framework
• Monitor & report on risks
through the enterprise
• Coordinate ERM activities
• Embed risk management
into strategic planning
• Monitor risks with early
warning risk indicators
• Link risks to stakeholder
value
• Drive sustainable
performance
LOW
Insurance & Compliance
Core ERM Practices
Risk Management Philosophy
Risk-Reward Optimization
A Few Practical Tools and
Deliverables
Sample Risk Map
Key risks
High
3
1
4
2
5
Likelihood
6
7
8
10
Medium
- Illustration 14
9
11
13
12
16
15
17
19
18
Low
Very Low
Low
Moderate
Major
Impact
Tier one risks
Tier two risks
Tier three risks
Catastrophic
1.
Intellectual Property
2.
Greek Life
3.
Pension Funding
4.
Succession Planning
5.
Student Safety
6.
Economy
7.
Alumni Relations
8.
Faculty Retention
9.
Tuition Rate
10.
Athletics
11.
Research Compliance
12.
Community Relations
13.
Information Technology
14.
Delivery Channel
15.
Demographics
16.
Operating Model
17.
Research Grants
18.
Endowment
Performance
19.
Privacy
Sample Questions for the Board of Trustees
Yes
No
Trustee Questions
Did we receive material which adequately distilled vast quantities of risk
information into prioritized, actionable summaries?
Were the risks associated with key departments presented in a comprehensive,
holistic manner?
Were any losses that occurred related to risks that have been identified? Are
the losses consistent in magnitude and frequency to the risk profile?
Did management tie revenues, losses, surprises and specific material events to
the presented risk profile?
Did management outline strategy altering scenarios? For example, could
multiple problems arise simultaneously or sequentially (the “perfect storm”)?
Was management forthcoming about any differences among senior leadership
regarding material strategic recommendations and decisions?
Were the assumptions underlying our strategy effectively challenged and tested
against changes in the external environment?
Sample Questions for the Board of Trustees, cont.
Yes
No
Trustee Questions
Did management outline the processes used to develop the data and
information that relates strategy with identified risk?
Do we have a common understanding of the types of triggers that bring an
issue to our attention?
Were we provided with an understanding of what capabilities are required to
address the institution’s risks? Were capability gaps identified?
Do we have a common understanding among management and the board
about the roles, responsibilities, and accountabilities relative to risk oversight?
Did we discuss the details of risk appetite with management?
Do we need a chief risk officer (CRO) or a similar resource?
Do we have the appropriate committee structure and reporting lines to ensure
we meet our risk oversight obligations?
Do we have sufficient personnel (including advisors) and financial resources in
place to enable us to fulfill risk engagement responsibilities?
Risk Identification
• Initial interview with Risk Owner
– What issues/areas of concern that keep them up at
night?
– What is the probability of occurrence, when taking into
account controls already in place?
– Risk owner impression of impact level.
• Create a basic risk register. Focus on high
probability and high impact risks.
Person
Interviewed
Risk Owner
Department
Area of Concern
Issues
Affect On Other
Departments
Probability of
Occurrence
H = >70%
M = 30-70%
L = <30%
Impact
Arthur Anderson LLP v. United States
• US Supreme Court recognized the legitimacy of managing and
systematically disposing of records in accordance pursuant to a
records retention policy
• The Supreme Court held:
“Document retention policies,’ which are created in part to
keep certain information from getting into the hands of
others, including the Government, are common in
business. It is, of course, not wrongful for a manager to
instruct his employees to comply with a valid document
retention policy under ordinary circumstances.”*
*544 U.S. 696, 704 (2005)
Likelihood of Occurrence**
Level
1
Descriptor
Very Rare
Unlikely
2
Possible
3
4
Likely
Almost certain
5
Description
Indicative Frequency
(expected to occur)
Once every thirty years.
Heard of something like this
occuring elsewhere.
Low likelihood of the event
Once every three to ten
happening. The event does occur years.
somewhere from time to time.
Medium likelihood of the event
happening. The event has
occurred at least once in your
career.
The event has occurred several
times or more in your career.
High likelihood of the event
happening. The event has
occurred in the last six months.
Once every three years.
Once every year or less.
More than once a year.
**NOTE:
Please rate the likelihood of the event occuring AFTER taking into account
the adequacy of existing controls
Likelihood/Probability of Occurrence
Severity Level
HIGH
H
MEDIUM
M
LOW
L
Probablity
>70% chance that the risk
event will occur within the
next year.
Between 30% and 70%
chance that the risk event
will occur within the next
year.
<30% chance that the risk
event will occur within the
next year.
Communication
• Each risk owner creates a project plan, including
timelines for mitigating that risk.
• The risk owner provides semi-annual progress
updates on risk mitigation projects.
• This information is provided to the Audit Committee
of the Board of Trustees.
1. General Project Information
Project Title:
Project Sponsor/Department:
Project Summary:
2. Project Update
Current Status List completed action items and project successes thus far.
Remaining Tasks List the remaining tasks/action items which are needed for the successful completion of the project.
“Meeting challenges gives rise
to opportunities.”
QUESTIONS

similar documents