MAF 754ERM Frameworks & ERM MaturityDavid Sewell27 April 2012
Today’s topics•A case study in ERM Implementation : one company’s experience•ERM FrameworksCOSO ERMCasualty Actuarial Society (CAS)ISO 31000Victorian Government•Measuring ERM maturityVictorian Government RFQRFederal Government ComcoverRIMSOthers•Assignment 2
ERM Implementation –AusyPac’s Experience
Some background about AusyPacCorp HOSydneyUSAEuropeAustraliaAsiaDrink BottlesPaperPlastic FilmTobacco PackPackaging materials industry$6B annual turnover150 locations in 25 countries3000 employees
Primary drivers for ERM•Dual listing on US stock exchange•Compliance with Sarbanes-Oxley•ASX principles of corporate governance•Increasing expectations on sustainability reporting•Increased interest from board members
Implementation process lead by Internal Audit (IA)•The ERM framework was developed by external consultants using guidance from COSO ERM and the AS/NZ 3460•Due to work being done by IA and compliance on Sarbanes Oxley, the ERM project was introduced under the same project team.•The proposed framework was highly complex and difficult to understand.•The IA team and consultants treated the project as a process to meet compliance requirements, rather than add value to the organisation.•Little time was spent looking at the context and objectives of the process and an excessive amount of effort was put into the complex process.
Implementation process lead by Internal Audit (IA)•When the framework was put to the board for approval, it was approved. •When changes were proposed afterwards, they were difficult to achieve due to prior board approval.
Risk Assessment Workshops•Workshops were run with the leadership team for each business group at head office.•A brainstorm was conducted collecting around 20 risks each•The workshops provided mixed results -the culture of the teams impacted significantly on the results•Workshops the first time was welcomed primarily due to novelty and there was some good discussion on issues which were not normally discussed in larger groups. •The complexity of the process restricted the amount of time available for discussion of the important issues
Risk Assessment Workshops•There was a lack of ownership and the risk assessment lacked any research. •Often discussions were dominated by extraverted individuals and senior members.•The materiality levels defined for consequence did not relate well to the objectives of the smaller business groups.•Feedback for the process was good in general , but it was not clear how the process would be embedded into the business and used on an ongoing basis.
Feedback from workshop participants and managementReports•The reports generated from the workshops were accepted by the business groups. •The workshops held were unique. Never before have issues like these been discussed in such a wide forum.•The reports were disconnected from operational and strategic goals. •The process was more of a sideshow rather than core business process. Materiality•created confusion -was a “High” rating high for the business group or the corporation?
Feedback from workshop participants and managementResearch and analysis on risks•Number of business groups created lists of over 100 risks with hundreds of controls and recommendationsOwnership for risk mitigation recommendations•Little follow up after the meetings. •Issues and risks identified were poorly researched or tested. Controls were not always relevant and action items had not been analysed for good cost benefit.•The lack of ownership created a disconnect and problem for the risk management team to follow up and question the findings. •The CFO was typically the point of contact for the process. •The CFO was already very busy and found it difficult to provide the time necessary for review and follow up.
Feedback from workshop participants and managementBoard of Directors requirements•Accepted the process and findings but did not appear to be impressed with the reports. •Many attempts to present the information in palatable format but due to the detail :it was difficult to summarise the findingsboard reports ended up as large complex spreadsheets containing all the detail•Recognition that ASX requirements had been met, but the process was not providing the value that had been Audit•The process was being run by IA which created a conflict of interest
After 2 years of implementing…•going nowhere –business groups pushed back a process that reported risks such as building fires and issues which were relevant but not priority to executives. •Accepted the process and findings but did not appear to be impressed with the reports. •During a review of business unit business plans, many key strategic and operational risks were uncovered that did not appear in ERM reports. •IA had been running the process but also had a responsibility to audit the process to ensure it was complying with the AS/NZs standard.•The RM Team which had previously only focussed on insurable risk was given the role to manage the process.
Major changesBusiness group champions•Appointment of risk champions for each group. •Well connected in reasonably senior roles. •Role to ensure risk meetings were held and information gathered was in line with corporate standards. •Corporate risk team was responsible for educating the champions and providing them with necessary materials to complete the process. •Corporate risk team reviewed findings and created the board reports and executive team information.
Major changesProcess simplification to report top 10 risks•Previously inherent risks were considered but now discarded. •Only current or residual risk was considered. •“Sticky note” brainstorm technique was used to generate ideas and discussed and reduced to around 10 key enforced•Challenge was to ensure the risks reflected the root cause of the risk. •Work was continued outside the meeting by the risk owners which allowed research and careful consideration of likelihood and impact. •After a few days risk owners would report back with their findings and the group would agree the ratings, controls and potential improvement plans.
Major changesKey Risk Indicators (KRIs) Developed•Smaller number of risks allowed the development of KRIs.•These were metrics that were directly related to the identified risks.•Dashboards were developed that tracked KRIs and allowed real time updates of the risks.•These dashboards were then included in monthly reports and used by senior management to embed risk based decision making in the organisation
Lessons learntERM is a journey, not a destination•Along the journey the business becomes more familiar with the concept of risk management. •Rather than a single mile stone for ERM there are many smaller ones. •ERM maturity models have attempted to track organisations along this journey.•Those who have been spending more time along the path realise that it can take a long time and significant effort to achieve true ERM the process simple•Participants can easily get bogged down in detailed process methodologies.•The limited time is better spent on discussing real issues and exposing core risk drivers.
Lessons learntProvide ERM techniques to the Business Units•The process only really helped the executive teams.•There is scope for extending the process to operational teams and helping them expose and manage risks associated with them achieving their objectives. •The long term plan should be to share the risk management information between the various silos and use a common risk of risk reporting lines•The RM department now reports to company secretary. •Sustainability and HSE was included under the risk management department.
2 Readings –Purdy G & Akzo Nobel CasePlus
Various ERM Frameworks
establish contextidentify risksanalyserisksISO31000evaluate risksAssess Risktreat risksCovered in weeks 4 & 5 lectures !!Communicate and ConsultMonitor and Review
COSO(TheCommittee of Sponsoring Organizationsof the Treadway Commission)
COSO ERM -Overview•Derived from Internal Control Integrated Framework•Became the de-facto ERM standard for SOX 404 compliant organisations•ProsWidely accepted by US organisationsProvides a detailed and prescriptive approachIs an ERM methodology•ConsComplex documentation 266 pages Confusing terminologyAudit and financial biasMisses out on opportunity risk
COSO ERM –Detail ViewCOSO defines ERM“a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”•Achievement of objectives :Strategic –high-level goals, aligned with and supporting its missionOperations –effective and efficient use of its resourcesReporting –reliability of reportingCompliance –compliance with applicable laws and regulations
COSO ERM –ComponentsInternal EnvironmentThe internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they SettingObjectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite.
COSO ERM –ComponentsEvent Identification Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting Assessment Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual Response Management selects risk responses –avoiding, accepting, reducing, or sharing risk –developing a set of actions to align risks with the entity’s risk tolerances and risk appetite.
COSO ERM –ComponentsControl ActivitiesPolicies and procedures are established and implemented to help ensure the risk responses are effectively carried and CommunicationRelevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both.Review Question
CAS(Casualty Actuarial Society Framework)
CAS ERM -Overview•Developed by CAS US in 2003 looking at risk type and RM process instead of 3 dimensional process used by COSO. •Tends to focus more on methodologies such as quantitative techniques rather than organisational issues -being developed by actuaries, this is probably to be expected.•CAS ERM document (pg 27) has case studies in implementing ERM•Page 32 describes practical considerations of implementing ERM :Designating an ERM ChampionMaking ERM part of the enterprise culture (“tearing down the silos”)Determining all the possible risks of the organisationQuantifying operational and strategic risksIntegrating risks (determining dependencies etc)Lack of appropriate risk transfer mechanismsMonitoring the processStart Slowly –Build upon successes
Victorian Government RM Framework(VGRMF)
VGRMF-Overview•Developed in 2007 by the Department of Treasury and Finance to improve risk reporting and corporate governance in the Victorian Public sector.•All government departments and most agencies produce annual reports. Similar to ASX, required to disclose/attest : Agencies have a RM process in place that meets the ASNZ standard or equivalent Processes are effective in controlling risk to a satisfactory levelResponsible body or audit committee verifies that view•Identify agency risksInter agency risksState-wide risks
VGRMF-Overview•Updated in 2011 –adopts key parts of ISO31000 methodology•Review Question
Measuring ERM Maturity
Overview comments•Measuring ERM maturity is a challenge with : different industries, approaches (COSO ISO etc)Self audit vsindependent auditVaried stakeholder expectations•Common benchmarking methodology for ERM is being sought by both public/government sector and private sector. •For public sector : expectation that government organisations are managing risk well in the public interest. political leaders care deeply about their reputation and want to limit the chances of nasty surprises
Public Sector Efforts•In Victoria, the VMIA Victorian Managed Insurance Authority operate an ERM audit process called the Risk Management Framework Quality Review (RFQR) :government departments are audited every couple of years and assessed in terms of their ERM maturity.•Federal government operate a similar process which is coordinated by Comcover :they look at large government organisations and have been using a self assessment questionnaire.
Private sector efforts•In private sector, Standard and Poor’s have been working on an assessment methodology for insurers, finance companies and non financial companies. •The purpose of S&P’s ERM assessment is based on the premise that a company with good ERM is likely to be a better manager of risk providing improved stability of their credit rating.•Readings questions.
Risk & Insurance Management Society (RIMS)•Founded in 1950s in the US.•Is a non profit organisation that promotes the use of ERM in the public and private sector. •Has focus on the following : Adoption of ERM-based approachERM process managementRisk appetite managementRoot cause disciplineUncovering risksPerformance managementBusiness resiliency and sustainability
Others
Others
Others
Assignment 2