Developments Advanced in Risk Analysis and Risk Management
advertisement
Developments Advanced in Risk Analysis and Risk Management Lori Brown, Seton Hall University Robert Roach, New York University Jean Demchak, Marsh Program Speakers: Lori Brown Director of Compliance & Risk Management Seton Hall University South Orange, NJ Jean Demchak Managing Director Global Education Leader Marsh, Inc. New York, NY Robert F. Roach Chief Compliance Officer New York University New York, NY “It wasn’t the risk we knew about that concerned us, but the risks we were unaware of that worried us the most” Chris McAlary, VP Finance, Mount St Mary’s College Program Overview 1. Trends in risk management and impact of ERM on credit ratings. 2. Developing an Institutional ERM program. 3. Practical Risk Management tools for Compliance and ERM programs Risk: Upside and Downside All organizations face internal and external factors that make it uncertain whether and when they will meet their objectives. The effect of this uncertainty on achieving objectives is called risk. Risk Management in Application Risk Management principles can be applied to any type of risk, whatever its nature, whether having positive or negative consequences. Compliance Programs: Use Risk Management principles to help identify, assess, evaluate, and treat ethical and regulatory risks. Enterprise Risk Management (ERM): Is a coordinated program applied throughout the life of an organization and to a wide range of activities, including strategies and decisions, operations, processes, functions, projects, and services. Risk Assessment and Management Process 1. Organizational Context: What are your organization’s objectives, structure and operations? 2. Risk Identification: What are the possible risk events your organization faces? 3. Risk Assessment: o What is the likelihood of the risk event happening? o What is the potential impact of the risk event? 4. Risk Evaluation: Having assessed the risks: o What is your organizations “appetite” for risk? o what are the most important risks to address? 5. Risk Treatment: What steps must be taken to mitigate the risks Identified? 6. Monitoring, Review and Corrective Action, o Are internal controls working effectively to mitigate risk? o Is there any corrective action needed? 7. Communication: Throughout the Organization Simple Risk Assessment Diagram Identified Risks Conflicts of Interest Medicare/Medicaid Billing Time and Effort Reporting Tax Exempt Bonds Executive Compensation Record Retention Export Controls EEO/AA Laws Risk Evaluation Having assessed the risks: o What are the most important risks to address? o What is your organizations “appetite” for risk? Risk Response • Avoidance • Reduction/Mitigation (Internal Controls) • Sharing (e.g. Insurance) • Acceptance o Crisis Management Plans o Business Continuity Plans o Other Operational Plans Control Activities •Organizational/Process Controls o E.g. Separation of Duties •Documentation o Written Policies and Procedures Essential •Training •Audit Trails o Final Results should be traceable back to originating transactions •Security and Integrity o Access Controls Strategic Risk Management: Expectations and Opportunities Areas where senior management’s expectations of risk management have grown Integrate with operations Execute day-to-day RM activities efficiently Improve quantification/analysis Understanding of non-insurable risks Increase involvement in strategic planning Lead ERM activities Work with lower headcount Serve on RM committee Risk Manager C-Suite Increase use of technology Understanding of RM ROI Finance Source: Excellence in Risk Management VIII 25% 50% Strategic Risk Management: Expectations and Opportunities Key performance indicators (KPIs) 20% Manage RM value through TCOR Competitive procurement of risk transfer 15% Financial measures for retained/insured exposures 15% 13% Insurance budget management Mitigate liabilities/support preparedness Align RM objectives with company risk tolerance RM alignment with company goals 7% 6% 5% Build strategic risk awareness across 4% organization Deliver successful claim results 3% Compliance 3% Source: Excellence in Risk Management VIII Primary KPIs Secondary KPIs Tertiary KPIs Strategic Risk Management: Expectations and Opportunities Effectiveness of risk committees How effective are crossfunctional risk committees? How could your firm’s cross-functional risk committee become more effective? Consider risks more strategically 8% 30% 62% Very effective Somewhat effective Not effective Source: Excellence in Risk Management VIII 55% Disseminate information more widely Increase visibility of senior management support Use a wider range of analytics Engage senior management to communicate support 44% 36% 36% 30% Strategic Risk Management: Expectations and Opportunities Primary focus areas for developing RM capabilities 53% 56% Strengthen ERM 45% 52% 52% Training/education 62% Technology upgrades 35% 36% 41% Current employees 32% 39% 42% 20% 19% Restructure insurance programs 29% Source: Excellence in Risk Management VIII 2011 2010 2009 Strategic Risk Management: Expectations and Opportunities Barriers to senior management’s understanding of the risk landscape 42% Siloed approaches to RM Lack of awareness of ERM concepts 39% 34% Organizational structure Inadequate RM representation at Board/C-suite level 31% Lack of relevant risk data 31% Inadequate link to strategies 27% Demonstrating value of ERM 27% Source: Excellence in Risk Management VIII Strategic Risk Management: Expectations and Opportunities Top Ten Risks Risk Managers Rank (Readiness*) C-suite Rank (Readiness*) Finance Rank (Readiness*) 1 Economic conditions 1 (30%) 1 (26%) 5 (31%) 2 Business disruption 2 (76%) 3 (58%) 1 (63%) 3 Reg. /Compliance 3 (60%) 5 (59%) 3 (62%) 4 Legal or reg. shifts 4 (44%) 2 (47%) 6 (53%) 5 Litigation or claims 6 (70%) 5 (63%) 9 (56%) 6 Tech. / systems failure 7 (63%) 11 (65%) 3 (60%) 7 Brand / reputation 5 (44%) 8 (51%) 12 (35%) 8 Data sec. / breach 9 (65%) 7 (60%) 8 (53%) 9 Physical resources 8 (80%) 20 (61%) 2 (73%) 10 Business continuity 10 (67%) 13 (64%) 17 (58%) ` Company’s Top Risks * Percent of respondents with management plan in place or recent review undertaken of the risk Source: Excellence in Risk Management VIII What is ERM And Why Does it Matter to Higher Education? Definition of Enterprise Risk Management (ERM) A structured, consistent, and continuous risk management process applied across the entire organization that brings value by: 1. Proactively identifying, assessing, and prioritizing material risks 2. Developing and deploying effective mitigation strategies 3. Aligning with strategic objectives and administrative processes 4. Embedding key components into the organization’s culture: 1. Risk ownership, governance, and oversight 2. Reporting and communications 3. Leveraging technology and tools 5. S&P incorporating ERM reference into industry credit rating reports The Four Quadrants of Risk Sample Enterprise Risk Issues in Higher Education Higher education Enterprise risk inventory 1 Students • • • • • • • • • • Student satisfaction/preferences Inter-class relations Housing Athletics Admissions policy Recruitment Retention Greek life/Student life Student welfare Student judiciary Teaching and Student Life Faculty • • • • • • • Attract and retain faculty Tenure policies Curricula/program design Research & development Intellectual property Fraudulent research Fraudulent credentials External Stakeholders Alumni • • • • • Alumni relations • Endowment • Donations Research & development programs Athletic rankings Human Capital Employment practices Faculty/tenure succession planning Tuition rates/ tuition stability Cost of capital/ interest rate fluctuations Conflict of interest Employee fraud Athletics Business interruption Field courses Student activities Reputation/ branding Marketing Foreign expansion Admissions policy Availability Privacy Visitors and contractors Finance Integrity Process Strategy Information Technology Environmental Health/Safety External Access Environmental compliance Demographics Corporate/institutional alliances Community outreach Endowment Donations Performance incentives Expansion capital Brand/reputation Academic rankings Employee stress/ burnout Compensation Unionization Workforce productivity Hiring and retention Pension fund Claim reserve liability Risk financing Litigation Endowment Illegal acts Management fraud Third party fraud Unauthorized acts Faculty bookings Infrastructural renewal and capacity Regulatory compliance Failure to educate Licensing Vendor alliances Contract commitment Product and delivery model Outsourcing Corporate/ institutional alliances Planning Intellectual property Data integrity e-Commerce Relevance Reliability Ethical decisionmaking Technological capacity Illness/injury to faculty, students or staff Competition Natural hazards Economy Campus security Resource allocation Technology transfer Infrastructure Internet security Special events Student/faculty travel Social responsibility This inventory does not capture the risks associated with a university medical center 1 Copyright © 2006 Mercer Oliver Wyman NYC-MOW171ERC-027 16 ERM Compliance Factors: Commentary • Compliance and ethics oversight has traditionally been the responsibility of an institution’s legal department • Risk management procedures of institutions are under increasing regulatory and private scrutiny • There has been a shift from a defensive function focused on policies, procedures and expenditures, to a strategic function focused on optimizing resource allocation and effectiveness • Recent mandates and guidelines are fueling the momentum ERM Compliance Factors: Current and Emerging Standards and Guidelines GUIDELINES & BEST PRACTICES: • Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) ERM Framework • Standard & Poor's (S&P) ERM Ratings Criteria for NonFinancial Organizations • ISO31000 EMERGING REGULATIONS & GUIDELINES: • Accreditation requirements? ERM Guidelines and Best Practices: Overview of S&P’s ERM Ratings Criteria Culture Organizational structure Risk management staff roles and accountability Risk communication (internal and external) Emerging Risk Preparation Strategic Risk Management Risk limit application and enforcement Environmental scanning, trending, stress testing, contingency planning and other pre-loss practices Utilization of risk management and return on risk in strategic decision making Risk control processes— policies, infrastructure, methodology (PIM) Expectation planning for negative events pre and post-loss performance Risk Controls Risk identification, measurement and monitoring Sector and firmspecific risk control criteria Risk consideration within capital budgeting and allocation, performance measurement and other administrative practices ERM Guidelines and Best Practices: ISO 31000 6.3 Establishing the context 6.4 Risk Assessment 6.4.2. Risk Identification 6.2 Communication & Consultation 6.4.3. Risk analysis 6.4.4 Risk evaluation 6.5 Risk treatment Source: International Organization for Standardization 6.6 Monitoring & Review • ISO 31000 Risk Management Standard follows the Australian / New Zealand Standard • Released in late 2009 • No current certification standard, but it may follow ERM Compliance Factors: Common Elements of ERM Frameworks • They outline a process for ERM implementation that includes: – Risk identification and assessment – Risk prioritization – Risk solution design and implementation – Routine monitoring and reporting – Communication • They recognize that good risk management must be embedded into the organization’s day to day activities • They consider both the ‘upside’ and ‘downside’ of risk • They are not one size fits all How to Initiate an ERM Program Building Senior-Level Support • Elements of an ERM Value Proposition: – Optimal capital deployment – Continued or improved rating agency confidence – Effective critical event response – Better decision making relative to risks assumed – Enhanced stewardship and governance Developing the Team/Structure Risk Reports Board of Trustees President/Senior Leadership Internal audit Risk Management Committee Risk Reports Provost Finance/ Legal/ HR Select Deans Ext Affairs Risk Mgr ? RM Compliance Audit ERM functional representation, risk management activity support and shared services College A College B College C Dept A Dept B Risk information and root data, issues management Dept C Understanding Where You Want to Go… Critical success factors • Establish the right vision and realistic plan • Obtain senior leadership buy-in and direction • Align with mission and strategic objectives • Attack silos at the onset • Set objectives / performance / early warning indicators • Stay focused on results • Communicate vision and key outcomes • Develop a sustainable process vs. a one-time a project …Then Making It Happen 1 2 3 Envision the Future State Assess the Current State Risk Identification, Assessment & Prioritization Risk Mitigation & Controls Risk Management Infrastructure Governance & Accountability Implement ERM Implement Risk Solutions ERM Integration with: Reporting Routine Processes Strategy Strategic Plan Policies, Processes & Procedures Organizational Culture Technology & Systems Culture Link to Strategy and Stakeholder Value HIGH Keep in Mind ERM is a Journey - Not a Destination Value Creation & Risk Optimization Risk Management Integration Enterprise Risk Awareness Risk Specialization • Isolated and independent risk management activities, • Limited focus on the linkage between enterprise-wide risks and strategies • Adopt an ERM framework • Assign executive ownership of risk management • Conduct routine risk assessments • Implement a fully integrated ERM structure based on a framework • Monitor & report on risks through the enterprise • Coordinate ERM activities • Embed risk management into strategic planning • Monitor risks with early warning risk indicators • Link risks to stakeholder value • Drive sustainable performance LOW Insurance & Compliance Core ERM Practices Risk Management Philosophy Risk-Reward Optimization A Few Practical Tools and Deliverables Sample Risk Map Key risks High 3 1 4 2 5 Likelihood 6 7 8 10 Medium - Illustration 14 9 11 13 12 16 15 17 19 18 Low Very Low Low Moderate Major Impact Tier one risks Tier two risks Tier three risks Catastrophic 1. Intellectual Property 2. Greek Life 3. Pension Funding 4. Succession Planning 5. Student Safety 6. Economy 7. Alumni Relations 8. Faculty Retention 9. Tuition Rate 10. Athletics 11. Research Compliance 12. Community Relations 13. Information Technology 14. Delivery Channel 15. Demographics 16. Operating Model 17. Research Grants 18. Endowment Performance 19. Privacy Sample Questions for the Board of Trustees Yes No Trustee Questions Did we receive material which adequately distilled vast quantities of risk information into prioritized, actionable summaries? Were the risks associated with key departments presented in a comprehensive, holistic manner? Were any losses that occurred related to risks that have been identified? Are the losses consistent in magnitude and frequency to the risk profile? Did management tie revenues, losses, surprises and specific material events to the presented risk profile? Did management outline strategy altering scenarios? For example, could multiple problems arise simultaneously or sequentially (the “perfect storm”)? Was management forthcoming about any differences among senior leadership regarding material strategic recommendations and decisions? Were the assumptions underlying our strategy effectively challenged and tested against changes in the external environment? Sample Questions for the Board of Trustees, cont. Yes No Trustee Questions Did management outline the processes used to develop the data and information that relates strategy with identified risk? Do we have a common understanding of the types of triggers that bring an issue to our attention? Were we provided with an understanding of what capabilities are required to address the institution’s risks? Were capability gaps identified? Do we have a common understanding among management and the board about the roles, responsibilities, and accountabilities relative to risk oversight? Did we discuss the details of risk appetite with management? Do we need a chief risk officer (CRO) or a similar resource? Do we have the appropriate committee structure and reporting lines to ensure we meet our risk oversight obligations? Do we have sufficient personnel (including advisors) and financial resources in place to enable us to fulfill risk engagement responsibilities? Risk Identification • Initial interview with Risk Owner – What issues/areas of concern that keep them up at night? – What is the probability of occurrence, when taking into account controls already in place? – Risk owner impression of impact level. • Create a basic risk register. Focus on high probability and high impact risks. Person Interviewed Risk Owner Department Area of Concern Issues Affect On Other Departments Probability of Occurrence H = >70% M = 30-70% L = <30% Impact Arthur Anderson LLP v. United States • US Supreme Court recognized the legitimacy of managing and systematically disposing of records in accordance pursuant to a records retention policy • The Supreme Court held: “Document retention policies,’ which are created in part to keep certain information from getting into the hands of others, including the Government, are common in business. It is, of course, not wrongful for a manager to instruct his employees to comply with a valid document retention policy under ordinary circumstances.”* *544 U.S. 696, 704 (2005) Likelihood of Occurrence** Level 1 Descriptor Very Rare Unlikely 2 Possible 3 4 Likely Almost certain 5 Description Indicative Frequency (expected to occur) Once every thirty years. Heard of something like this occuring elsewhere. Low likelihood of the event Once every three to ten happening. The event does occur years. somewhere from time to time. Medium likelihood of the event happening. The event has occurred at least once in your career. The event has occurred several times or more in your career. High likelihood of the event happening. The event has occurred in the last six months. Once every three years. Once every year or less. More than once a year. **NOTE: Please rate the likelihood of the event occuring AFTER taking into account the adequacy of existing controls Likelihood/Probability of Occurrence Severity Level HIGH H MEDIUM M LOW L Probablity >70% chance that the risk event will occur within the next year. Between 30% and 70% chance that the risk event will occur within the next year. <30% chance that the risk event will occur within the next year. Communication • Each risk owner creates a project plan, including timelines for mitigating that risk. • The risk owner provides semi-annual progress updates on risk mitigation projects. • This information is provided to the Audit Committee of the Board of Trustees. 1. General Project Information Project Title: Project Sponsor/Department: Project Summary: 2. Project Update Current Status List completed action items and project successes thus far. Remaining Tasks List the remaining tasks/action items which are needed for the successful completion of the project. “Meeting challenges gives rise to opportunities.” QUESTIONS
